Climbing Mount WebAppSec – Discovering Directories & Files with ZAP

This is the second part of my mini-series on “Domain Discovery”. The first part is here.

Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping

Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files).

In this post I will cover directories/files.

As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the webmaster assumed would never be accessed, as they are not directly linkable from within the website.

There are a number of tools available to us for brute-forcing website directories and files – sometimes known as “Forced-Browsing” – but I have settled on two: Wfuzz & ZAP.

I covered Wfuzz in my previous post.

Right, ZAP.

When I tinkered with website security some years ago, the go-to tool for enumerating website directories & files was OWASP’s Dirbuster. And I’m pleased to say this tool lives on inside ZAP and utilised through “Forced Browsing”.

As a quick aside, there are actually two mechanisms within Zap to perform this task, the other being the Fuzzer based on Fuzzdb. This is a multi-faceted tool capable of far more than directory busting, so will focus only on the Dirbuster component for now.

The easiest way to access this is to right-click on your target (one that you have previously surfed whilst proxying through ZAP) and selecting one of the attack “Forced Browse” options:

This will change the bottom left pane from this:

To this:

Note the addition of the “Site” and “list” dropdown menus.

As default, only one list – directory-list-1.0.txt – is available to us.

We can install more lists via the “Manage-Add-Ons” icon:

Select the “Marketplace” tab and scroll down for “Directory” & “SVN Digger” files. Check their respective boxes and click “Install selected”.

But we don’t have to stop there.

From the discovering subdomains post:

A VERY important aspect of this job are the wordlists fed to the tools.

My advice at this stage is to go and grab all of the wordlists inside SecLists on Github (courtesy of Jason Haddix (again) and Daniel Miessler).

The wordlists of particular interest to us can be found in the “Web Content” folder within “Discovery”.

As you can see there’s a huge number of lists to choose from. My favourites so far:

– SVNDigger – You can read about these here.

– Top1000-RobotsDisallowed – Wordlists compiled from URL’s webmasters *did not* want spidered for one reason or another.

– Raft Lists – Because Jason Haddix said so!

We can either install these manually by plopping them inside the: Zap/Fuzzers/Dirbuster/ folder on our system or we can use the GUI.

From the Toolbar: Tools – Options – Select “Forced Browse”. Hit the “Select File button” adjacent to “Add custom forced browse file”.

After doing either of these options, return to the bottom left pane and you will find all of the files listed in the dropdown List menu:

Just hit the small blue “play” button and you’re off.

All of the URL’s found by Force Browsing will be displayed in your Sites Tree with this little hammer icon:

Happy Directory & file Busting!