neonprimetime security , just trying to help: Directory Listing

Thursday, November 1, 2018

dirb, directory guessing on websites

dirb is a tool in kali that can help you discover unknown folders on a malicious website, and perhaps give you hints as to what type of server it is (linux, windows, iis, apache, cgi, .net, etc.)

dirb http://badurl.com

results look like this for a default list scan

---- Scanning URL: http://badurl.com/ ----
==> DIRECTORY: http://badurl.com/aspnet_client/

---- Entering directory: http://badurl.com/aspnet_client/ ----
==> DIRECTORY: http://badurl.com/aspnet_client/system_web/

---- Entering directory: http://badurl.com/aspnet_client/system_web/ ----

pass in your own custom folder searching list with this command

dirb http://badurl.com customlist.txt

Monday, August 29, 2016

Wordpress Test Environment Requests

Why would somebody make a request to this path?

GET /test/wp-admin/

It appears this is a common, perhaps the default, location to install your "test" environment for a Wordpress blog. The problem appears to be if I do a google search for test wp-admin pages I get a bunch that are indexed and accessible.

I would never advise having your test environment accessible to the internet. Only have it accessible locally, you're just asking for trouble because test environments are never as locked down and monitored as production, and if your test blog is on the same server as production then you've just created a backdoor to production if an attacker can get into your test environment they're on your production server.

Another perhaps even bigger problem is that when I do the google search, most of these folders return directory listing and allow access to potentially sensitive files. Uh-oh. Lock down your test environments or remove them if you don't need them because the bad guys are looking for them!

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0