Directory enumeration is a technique used during reconnaissance to discover hidden files and folders on a web server. It helps identify entry points, backup files, configuration folders or vulnerable scripts.
As part of a basic penetration testing reconnaissance phase, I conducted a content discovery scan on the publicly available web application hosted at http://testphp.vulnweb.com. The purpose of this test was to identify hidden directories and files that may not be linked directly within the application but could be accessed if known. Such content often includes administrative panels, backup folders, development files, or version control systems that may pose security risks if improperly configured.
Using the DIRB tool on Kali Linux, I executed the scan with the standard common.txt wordlist provided by the tool. The command used was: "scan dirb http://testphp.vulnweb.com/"
The scan successfully identified several directories and files that could be of interest from a security standpoint. Notably, the /admin/ directory exists but returns a 403 Forbidden response, suggesting that it may be protected or restricted, but its presence alone may invite further brute-force or access control testing.
Key Security Findings
Presence of /admin/ directory (403 Forbidden): Suggests an administrative interface which, if brute-forced or misconfigured, could allow unauthorized access to sensitive functionality.
Version control leak in /CVS/ folder: Reveals internal project structure and versioning information. These folders should not be publicly exposed in any live web environment.
Access to /secured/ folder: Despite the name implying restricted access, the directory is accessible and may require a deeper review to verify the sensitivity of its contents.
Exposed /vendor/ folder: Could reveal application dependencies and open up supply-chain or known-vulnerability exploits if directory listing is enabled.
Mitigations:
1-Avoid Predictable Directory Names: Avoid using guessable paths e.g / admin12/
2-Use Authentication and Authorization to protect sensitive directories (like /admin, /config) using: Basic Authentication JWT or session-based authentication.
3-Rate Limiting & IP Blocking: Prevent brute force by limiting how fast clients can send requests using a WAF for example Cloudflare.Custom 403/404 Responses
4-Don’t reveal what exists or not Return the same error page and response time whether the directory exists or not, avoid error messages that say "Directory listing for /admin found"
Top comments (0)