Directory brute forcing/Searching for defaults – Security Testing Handbook for Banking Applications

2: Basic Tests and Techniques
32
Solution
The reason this succeeds is because the attacker is able to
predict the exact request which needs to be sent to the
application for a successful fund transfer. If the link
contained something random each time a new request was
made there would be no way for someone to predict its
content and embed it in an image. This random content is
called a ‘page token’. Each time the transfer funds link is
accessed by a user the page token changes. Even the user
has no way of predicting what token their next transfer
funds request is going to be assigned when they click the
transfer funds link. Hence there’s no way for an attacker to
know either. A word of caution though – make sure that the
token is truly random, not something which can be easily
predicted.
Directory brute forcing/Searching for defaults
Just as security is important while developing the
application, security should be kept in mind while
deploying the application too. Many times, the directories
that the application uses are just copied from the UAT (user
acceptance test) setup on to the live server. This results in a
lot of private directories being accessible by a normal user.
There have been times when we have been able to access
the source code in application directories through the
browser.
Hence it is important to test whether there are any such
directories accidentally left on the web server using a
directory brute-forcing tool. If hidden directories are
uncovered there might be confidential content revealed as
well.