An attacker searches a targeted web site for web pages that have not been
publicized. Generally this involves mapping the published web site by
spidering through all the published links and then attempt to access
well-known debugging or logging pages, or otherwise predictable pages within
the site tree. For example, if an attacker might be able to notice a pattern
in the naming of documents and extrapolate this pattern to discover
additional documents that have been created but are no longer externally
linked. Using this, the attacker may be able to gain access to information
that the targeted site did not intend to make public.
Attack Prerequisites
The targeted web site must include pages within its published tree that
are not connected to its tree of links. The sensitivity of the content of
these pages determines the severity of this attack.
Resources Required
Spidering tools to explore the target web site are extremely useful in this
attack especially when attacking large sites. Some tools might also be able to
automatically construct common page locations from known paths.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
