URL Bruteforce Discovery

Save as .bak ??? Ouch!

Save as .bak ??? Ouch!

Have you ever saved .php into .php.bak?

http://www.somewebsite.com/login.php.bak ?

Yep, no kidding. Did you ever do that? I did. By reversing the thoughts of a web developer, we can guess a lot of logic and pattern out of his own creation. For the case above, the page might leak its naming pattern, or the salt to its password or even a cleartext database connection string. By bruteforcing different naming conventions you can find a lot of unexpected resources, which you can be sure is not for strangers and us.

But since the resources expose themselves naked…

So, here is a list of extensions you can try ( any more? Some of them are from w3af. ) :

== Web Pages ==
.htm .html .shtml .php .aspx .asp .jsp .py .txt .out .pl

== Source Code ==
.js .phps .java .c .cpp .cs .fla .vb .inc .old .old1 .bak .bak1 .backup .backup1

== Source Code Append ==
.v1 .v2 ,v1 ,v2

== Data File ==
.xml .properties

== Archives ==
.tar .zip .rar .gzip .bzip2 .gz .tgz .tar.gz .jar .arj

== Binaries ==
.swf .class .exe

To notice is that, one of them Source Code Append, such as login.php,v1 . It is one convention used.

There is also another kind of URL discovery, but more elegant and harder to automate – by guessing the naming convention of pages. Suppose it is 2nd of September now, you can also exploit logic errors such as date mechanism URL such as this :


Maybe we can have a look into the future, stocks? =) Not bad. There are a lot of such guesses you can try and unexpected rewards awaits. As the case here shows, such unexpected access to certain areas of the website can prove disastrous.

References :
w3af – http://w3af.sourceforge.net/


3 Responses to “URL Bruteforce Discovery”

  1. 1 Bd boy September 1, 2009 at 6:58 am

    Hey , nice post . I didnt thought off that way … But i would like to ask you that did u had any success till now in brute forcing secret files ?…

  2. 2 log0 September 1, 2009 at 10:15 am

    Hi Bd boy,

    Thanks for reading. This blog is past and I now write at http://onhacks.org , webappsec is kind of a little drifted interest.

    Answering your question, yes there were, in fact you get a lot of results by automating. You can find this implemented in tools like W3AF. =)

  3. 3 eja insurance October 31, 2010 at 5:07 pm

    Could be the GREATEST post I read this week?

    krantz insurance

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: