2021-05-12 20:30:15 +00:00
id : apache-filename-brute-force
info :
name : Apache Filename Brute Force
author : geeknik
description : If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
reference : |
- https://hackerone.com/reports/210238
- https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/
severity : low
tags : apache
2021-05-12 20:31:52 +00:00
2021-05-12 20:30:15 +00:00
requests :
- method : GET
headers :
Accept : "fake/value"
path :
- "{{BaseURL}}/index"
2021-05-12 20:31:52 +00:00
2021-05-12 20:30:15 +00:00
matchers-condition : and
matchers :
- type : status
status :
- 406
- type : word
words :
- "Not Acceptable"
- "Available variants:"
- "<address>Apache Server at"
condition : and