the-web-application-hackers-handbook

82 Chapter 4 n Mapping the Application
The first step in an automated effort to identify hidden content might involve
the following requests, to locate additional directories:
http://eis/About/
http://eis/abstract/
http://eis/academics/
http://eis/accessibility/
http://eis/accounts/
http://eis/action/
...
Burp Intruder can be used to iterate through a list of common directory
names and capture details of the server’s responses, which can be reviewed to
identify valid directories. Figure 4-4 shows Burp Intruder being configured to
probe for common directories residing at the web root.
Figure 4-4: Burp Intruder being configured to probe for common directories
When the attack has been executed, clicking column headers such as “status”
and “length” sorts the results accordingly, enabling you to quickly identify a
list of potential further resources, as shown in Figure 4-5.
Having brute-forced for directories and subdirectories, you may then want
to find additional pages in the application. Of particular interest is the /auth
directory containing the Login resource identified during the spidering process,
which is likely to be a good starting point for an unauthenticated attacker.
Again, you can request a series of files within this directory: