2021-11-21 14:26:39 +05:30
id : apache-filename-enum
2021-05-12 20:30:15 +00:00
info :
2021-11-21 14:26:39 +05:30
name : Apache Filename Enumeration
2021-05-12 20:30:15 +00:00
author : geeknik
2022-04-22 13:38:41 +03:00
severity : low
2021-05-12 20:30:15 +00:00
description : If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
2021-08-18 14:37:49 +03:00
reference :
2021-05-12 20:30:15 +00:00
- https://hackerone.com/reports/210238
- https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/
2023-04-28 13:41:21 +05:30
metadata :
max-request : 1
2023-10-14 16:57:55 +05:30
tags : apache,misconfig,hackerone
2021-05-12 20:31:52 +00:00
2023-04-27 09:58:59 +05:30
http :
2021-05-12 20:30:15 +00:00
- method : GET
2023-10-14 16:57:55 +05:30
2021-05-12 20:30:15 +00:00
headers :
Accept : "fake/value"
path :
- "{{BaseURL}}/index"
2021-05-12 20:31:52 +00:00
2021-05-12 20:30:15 +00:00
matchers-condition : and
matchers :
- type : status
status :
- 406
2023-10-14 16:57:55 +05:30
2021-05-12 20:30:15 +00:00
- type : word
words :
- "Not Acceptable"
- "Available variants:"
- "<address>Apache Server at"
condition : and
2023-10-20 11:41:13 +00:00
# digest: 4b0a00483046022100b2ca66ab92aee03e5a60e28447ab4144da2ca1be69f322812581c250fac52b33022100f17850ca1f575b1427d7732e20795fb329445f7a3d7b68a8626a565502fa78a2:922c64590222798bb761d5b6d8e72950
