id: apache-filename-brute-force info: name: Apache Filename Brute Force author: geeknik description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. reference: - https://hackerone.com/reports/210238 - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ severity: low tags: apache requests: - method: GET headers: Accept: "fake/value" path: - "{{BaseURL}}/index" matchers-condition: and matchers: - type: status status: - 406 - type: word words: - "Not Acceptable" - "Available variants:" - "
Apache Server at" condition: and