This is a web application attack surface where the payloads are permuted to penetrate the Application Server.
Before carrying the payloads, the pre-requisite is getting possible map or structure of an application. And the sitemap can be reviewed by either active or passive spidering. There are certain tools available for crawl or spidering of a web application. And most of them are open source. This is an embedded feature for several application scanning tools (Burp Intruder, Nessus scanner, IBM Appscan and Acunetix). Burp Intruder is a handy tool in order to customize the payloads and in automating the attacks.
Advanced Google search option is an added advantage, in order to discover additional resources and information. The naming convention for the application plays a major role in deciphering the application or to penetrate the functionality. These content-discovery exercises are heavily done by an attacker to trace the possible loopholes. This result further can be analyzed to discover the content and functionality of the pages or the application.
The cluster bombing attack is customized and recursive automated payloads to attack a web application.
Mitigation:In particular from a security perspective, understand the key mechanisms that handle authentication, session management, and access control, and the functions that support them, such as user registration, account recovery, pre/post authentication methods. "Examine any customized data transmission or encoding mechanisms used by the application, such as a non-standard query string format. Understand whether the data being submitted encapsulates parameter names and values, or whether an alternative means of representation is being used. Identify each of the different technologies used on the client side, such as forms, scripts, cookies, Java applets, ActiveX controls, and Flash objects" (Stuttard & Pinto, 2013, p. 673).This article is for educational purpose; no payloads is shared on this article. Feedback will be appreciated.
Stuttard, D., & Pinto, M. (2013). Chapter 20: A Web Application Pentester's Methodology. In The web application hacker's handbook: Finding and exploiting security flaws (p. 673). Retrieved from https://goo.gl/wUTs1L