id: apache-filename-enum info: name: Apache Filename Enumeration author: geeknik severity: low description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. reference: - https://hackerone.com/reports/210238 - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ tags: apache,misconfig,hackerone metadata: max-request: 1 http: - method: GET headers: Accept: "fake/value" path: - "{{BaseURL}}/index" matchers-condition: and matchers: - type: status status: - 406 - type: word words: - "Not Acceptable" - "Available variants:" - "
Apache Server at" condition: and