id: iis-shortname
info:
  name: iis-shortname
  author: nodauf
  severity: info
  description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.

  # References:
  # - https://github.com/lijiejie/IIS_shortname_Scanner
  # - https://www.exploit-db.com/exploits/19525

requests:
  - method: GET
    path:
      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
      - "{{BaseURL}}/*~1*/a.aspx'"
  - method: OPTIONS
    path:
      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
      - "{{BaseURL}}/*~1*/a.aspx'"

    matchers:
      - type: dsl
        name: iis-scan
        dsl:
          - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"