• Directory Spraying for Bug Bounties

  • Directory spraying is a technique I use to enumerate files and directories while bug bounty hunting. The typical approach is to enumerate all the subdomains you can find and then start working on finding your targets. Part of this process includes discovery lists which could contain thousands of files and directories.

    Enumerating a single domain or subdomain for thousands of files or directories at once can overwhelm a site. Organizations typically request that you throttle your request to prevent that from happening. I personally limit my discovery attack within BurpSuite to the parameters:

    • Maximum concurrent requests: 1
    • Delay between requests: 1500

    The problem with this approach is that it’s time consuming to enumerate a large number of files and directories against a target domain and multiple target domains. Directory Spraying allows you to enumerate a larger list of target domains with a smaller list of files and directories.

    Directory Spraying with DirSpray

    DirSpray allows you to take a list of target domains, a list of target files and directories, and then enumerate those without having to throttle your requests.

    You can download DirSpray from my GitHub repository:

    DirSpray Downloads

    This is how my bug bounty methodology incorporates DirSpray:

    First, I need a target domain, for the purpose of this blog I’ll call it “targetdomain.com”.

    My next step is to enumerate as many subdomains as possible in order to get as much attack surface as possible. I’l l do that using OWASP AMASS:

    amass enum -active -d targetdomain.com

    That command will take some time to complete, but when it does I’ll have a list of subdomains to start enumerating. The next step is to place the list of domains into a text file, something like “urls.txt”. Now that I have my target list, I need a list of files and directories to enumerate. I want to keep this list short and sweet, I’ll add 3 to 4 files that I want to look for across all those domains.

    Let’s say I want to look for WordPress files across the domain list, my list of target files might include:

    • wp-admin
    • wp-config
    • admin

    The idea is to use a few so we can quickly cover as many targets as possible without causing a lot of traffic to the targets.

    Setting up DirSpray

    The firs thing I need to do is launch BurpSuite and make sure it’s listening on port 8080. DirSpray was designed to proxy directly through BurpSuite. Then I’ll run DirSpray using my target list and my file list:

    Directory spraying with DirSpray
    Figure1: DirSpray Usage

    As DirSpray enumerates the target domains, it proxies its traffic through BurpSuite:

    DirSpray proxied through BurpSuite. This shows the results of the directory spraying.
    Figure 2: DirSpray proxied through BurpSuite

    When DirSpray completes the domain target list, the results are saved in a report called “report.html”:

    Figure 3: DirSpray Report

    The resulting directory spraying report provides the following:

    • A URL if the site results in a 200 range request
    • The status code of the request
    • The response length of the request

    You can use the response lengths as a guide to determine if the response was the actual target file or redirect or 404 page in most cases. A “-1” response is due to Go not being able to determine the response length. This usually mean it’s a 404 or the site was unable to be accessed in some way.