Naming conventions   an attacker may be able to identify the

composition scheme used by the web site to name directories or

files.  Example: Admin vs. admin, backup vs. back up, etc...

   Enumerate User Accounts   personal user accounts on a web

server often have home directories named after their user

account.

   Configuration file contents   these files may contain access

control data and have extentions such as .conf, .cfg or

.config

   Script Contents   Most web servers allow for executing scripts

by either specifying a script location (e.g. /cgi bin) or by

configuring the server to try and execute files based on file

permissions (e.g. the execute bit on *nix systems and the use of

the Apache XBitHack directive).  Due to these options, if

directory indexing of cgi bin contents are allowed, it is

possible to download/review the script code if the permissions

are incorrect.

There are three different scenarios where an attacker may be able to

retrieve an unintended directory listing/index:

1)  The web server is mistakenly configured to allow/provide a

directory index.  Confusion may arise of the net effect when a

web administrator is configuring the indexing directives in the

configuration file.  It is possible to have an undesired result

when implementing complex settings, such as wanting to allow

directory indexing for a specific sub directory, while disallowing

it on the rest of the server. From the attacker s perspective, the

HTTP request is identical to the previous one above.  They

request a directory and see if they receive the desired content.

They are not concerned with or care "why" the web server was

configured in this manner.

2)  Some components of the web server allow a directory index

even if it is disabled within the configuration file or if an index

page is present.  This is the only valid "exploit" example

46

Copyright 2004, Web Application Security Consortium. All rights reserved.