Hello and welcome to the cyber. Very secure coding course. My name is anywhere and this is a WASP. Top 10 for 2013 a five security Miss Configuration Dello Directory Browsing.
This is the demo for Security, Miss Configuration Directory browsing.
So we're using Mattila Day here, and basically it lets us know that the Web server is not configured very securely. And so we might be able to browse very interesting pages, or you are Els on this particular Web server. So just to show you how you get here,
you're going to choose from the OSS directory Security, Miss Configuration Directory browsing.
Now, I'd like to show you in burbs Sweet. How to spider this particular website.
And then from there we can determine whether we can go ahead and view directories that should not be viewable to us.
So I'm gonna turn the interceptor off
and I'm gonna go to my target.
Now you need to go ahead and add
the location where you're running
in this case Mattila Day or you're vulnerable Application.
So and I'm running it on Port 80
And in order for something to appear here on the site map. Since I had actually gone to that page, I'm now able to
to see that. But if you have nothing here,
click something in the menu and go to that page, and then it'll actually bring up an item for your site map.
Now the Spider Host, you just right click and spider this host
and you'll see the spider tab light up.
And basically it's gonna send a bunch of requests and go through and figure out all the links that are available.
It'll actually go all the way back to the Web server so it won't just be your application. It will actually be everything under the Web server as well. Spider takes quite a while to run,
so I'm gonna pause the video and come back to this.
Okay? The spider is still running. It's sent a lot of requests, but it's still
still doing some work here. If we go back to the target tab, you can see
that there are links
that are even extended beyond the local host. And so, if you want to get rid of those and really clean up
just the target that you're interested in. You can do that by
right clicking this area here
check the box that says, Show on Lee in scope items and then click out of it
and it'll start cleaning this up.
So after it cleans up a bit,
you can start to see the various folders available. And here's our Mattila Day. This is our
but we can also see some other interesting things here. There's a folder PHP, my admin. That looks pretty interesting.
There's also a security folder here,
and so once you have Spider Dhe, the website, it makes it really easy to start doing directory browsing.
All we need to do then is just try to view this directory.
It's right off of the Web server,
so let's just see what we get
and looks like we get
the admin page for Samp.
So this is pretty interesting here
and shows how easy it is to
to traverse an entire
and then to determine which directories and files are viewable through the browser