AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

WCF Directory Listing

The attacker can deduce web folder directory and its content information in order to use further attacks such as credential stealing

Severity

Medium

Fix Cost

Low

Trust Level

High

Potentially sensitive information can be disclosed to the attackers in various ways. Listing the content of the web application directories is one of the most easiest ways for attackers to deduce these possibly sensitive information.

In order to browse web app root directory during debugging WCF allow directory listing by default with a configuration below;

            
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
                 
            

Given the above code, if CustomClass doesn’t override the Equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!