Application Path Disclosure

Overview Application Path Disclosure may result when internal application paths are disclosed to the user-agent (browser). These paths can be used in other attacks such as forced browsing. Discovery Methodology Attempt to discover if it is possible to cause errors by injecting all input parameters with characters that are reserved in various contexts. Search web page sources (view source) for internal application paths. Exploitation Search pages with and without injection. Use the grep feature of Burp-Suite to seach for application path patterns that match the web application framework type. Videos Click here to watch Introduction to Fuzzing Web Applications with Burp-Suite Intruder Tool Click here to watch Finding Comments and File Metadata using Multiple Techniques Click here to watch How to Sweep a Web Site for HTML Comments Click here to watch How to Install dirb on Linux Click here to watch How to Use dirb to Locate Hidden Directories on a Web Site Click here to watch How to Install OWASP DirBuster on Linux Click here to watch How to use OWASP DirBuster to Discover Hidden Directories on Web Sites