Hello World, this is my first blog which is related to one my recent finding i found in a bug bounty program.

Usually whenever i see a Default IIS Page i used to skip the domain and move on to finding issues on other subdomains. But in Nahamcon 2021 @infosec_au gave a talk on Hacking IIS @infosec_au discussed a bunch of vulnerabilities to check whenever we came across a IIS SERVER

I highly recommend you go through the talk

Hacking IIS

Shortname Scanning

To check this vulnerability there are 2 tools which i recommend

─$ sns -u  https://sub.redacted.com/              

 Proxy:   None
 Target:  https://sub.redacted.com/
 Threads: 50
 Timeout: 30

 - aspnet~1 (Directory)
SHORTNAME       FULL NAME       TYPE                                                                           
aspnet~1        Not found       Directory
  • I used sns but the result contains only one Directory which is the default directory [aspnet_client] which gave 403 on visiting the directory

Nothing much here so i tried traditional content Discovery


  • Most of the times on default IIS Default Webpages there is a high chance of finding zip files and backup files

  • We cannot rely blindly on IIS Shortname Scanner, So i started general content discovery

    • Also Content Discovery on IIS Servers is easy because of they are Case Insensitive
  • So i ran ffuf with jhaddix content_discovery_all.txt

 ffuf -u https://sub.redacted.com/FUZZ.zip -w content_discovery_all.txt -fc 404

and http://sub.redacted.com/ws.zip gave 200 OK

  • Upon visiting the url i am able to downloaded the whole source code. The source code contains many sensitive api keys and dll files

  • I reported it and they resolved the issue immediately

  • Whenever you find a Default IIS Page on a web server, fuzz it you might find something interesting

Hope you learned something new :)