86
Forceful Browsing
•Target: show directory contents
•
•How:
–directly request web server to serve the directory (path), or
–via hidden field manipulation (file access).
•
•Log manifestation:
–(path) directory e.g. /cgi-bin/ or /cgi-bin
–(parameter) directory e.g. file=/cgi-bin/ (and similar to file access)
•
•Variations:
–similar to file access
–8.3 directory format (/longdirname/ -> /longdi~1/)
•
•False alarms: (path) application may use directory path as a shorthand
No notes for this slide