In today’s security aware age, it’s important to reflect on past mitigation’s and see if we can improve them.
Whilst doing recon on this WordPress install I realised that my nginx installation was returning very identifiable responses to directory traversal and directory fuzzing attack. In that it would respond with a 404 if the folder or file wasn’t there, and a 403 if the folder or file was present but unauthorised to access.
This got me thinking that a simple program I could make to crawl files and directories could simply be taught to map out files not by sitemaps or html links but by the HTTP response codes.
Perhaps a better solution for nginx and all other vendors for that matter (ASP.NET etc), is that their deny directory traversal modules would simply respond with a 404 at all times if the absolute path was not given.