Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. Temporary files, backup files, configuration files, and sample files are all examples of potentially leftover files. These brute force searches are easy because hidden files will often have common naming convention and reside in standard locations. These files may disclose sensitive information about web application internals, database information, passwords, machine names, file paths to other sensitive areas, or possibly contain vulnerabilities. Disclosure of this information is valuable to an attacker.

Predictable Resource Location is also known as Forced Browsing, File Enumeration, Directory Enumeration, etc.

Example
Any attacker can make arbitrary file or directory requests to any publicly available web server. The existence of a resource can be determined by analyzing the web server HTTP response codes. There are several of Predictable Resource Location attack variations:

Blind searches for common files and directories
/admin/
/backup/
/logs/
/vulnerable_file.cgi

Adding extensions to existing filename: (/test.asp)
/test.asp.bak
/test.bak
/test

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Predictable Resource Location vulnerability attack vulnerability test.

Business Name:

Contact Information:

Email Address:

URL or IP address:

Other members of our business group:
Cloud-Security.us