Vulnerable Directories

These directories may not be default, but are very valuable for an adversary.

Default Home Page

/default.asp

/default.aspx

/home.asp

An endpoint with the possibility to redirect the end user to the Domain Controller or the Active Directory login page.

/signin-oidc

Frontpage `authors.pwd` Available

The file _vti_pvt/authors.pwd can be read. This file contains sensitive information and should not be available.

Acunetix Link

/_vti_pvt/authors.pwd

Error Logging Modules and Handlers

ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment. If ELMAH is not properly configured, the elmah.axd handler can be accessed with no authentication. This page will list all the error messages generated by the web application and may disclose sensitive information to an attacker. Even session cookies which could be used in an account takeover. Sending a %, < or > may cause a 400 response, adding to the ELMAH log and therefore being good proof of concept for stealing useraccounts.

/elmah.axd

Elmah Sample Image

Global Files

The Global.asa file is an optional file in which you can specify event scripts and declare objects that have session or application scope. It is not for content that is displayed to clients; instead it stores event information and objects used globally by the application. This file must be named Global.asa (or Global.asax for ASP.NET) and must be stored in the root directory of the application.

Global.asa file is not normally accessible as the web server restricts access to this file. Global.asa file may contain sensitive information such as database credentials, sensitive source code snippets and it's recommended to restrict access to this file.

More about Global files

/Global.asa

/Global.asax

Trace File

ASP.NET include a debug file which is called trace.axd. It keeps a very detailed log of all requests made to an application over a period of time. This information includes remote client IPs, session IDs, all request and response cookies, Internal paths, source code information, and potentially even usernames and passwords.

/trace.axd

Trace.axd Sample Image

Cyber Notes