File/Parameter Enumeration

A file/parameter enumeration attack is a combination of Forceful Browsing and Parameter Tampering used to access parts of the application which are not normally exposed to the public, such as an old version, "disabled" components and new components which are under development.

Detailed Description

File/parameter enumeration is a common technique used to search for suspicious files and parameter values in order to detect their existence or validity. Using this technique, it is possible to map additional parts of the application, which are not normally exposed to the public.

An attacker may abuse the fact that many files are left on the server's Web directories and employ Forceful Browsing technique to gain access to these files. Files can be hidden or unreferenced files such as include files, demo components, administrative interfaces, back-up and temporary files, and known sample and default files. All of these files may be detected by the attacker, and later used to attack the server.

In many applications, sequential numerical parameters or file names are used by applications. In many cases, only some of the existing files or parameters are actually used by the application, but the others may be accessible as well. For example, consider a Web application with following URLs:

http://www.mydomain.com/page1.asp or http://www.mydomain.com/main.asp?page=1

An attacker may easily guess other files or parameters, and retrieves pages that were never intended to be served. Additionally, an application may use a fixed set of files or parameters which are not numerical, but may still be logically enumerated. For example, consider the following application login URL:

http://www.mydomain.com/login.jsp?usertype=regular&username=john&password=doe

The attacker may guess that there are additional user types in the application and perhaps try to change the usertype to admin (usertype=admin) in order to gain administrator privileges on the Web application.