IIS File Enumeration Vulnerability Exposes Sensitive Data in Windows Web Apps

The video by @NahamSec addresses a file enumeration vulnerability affecting Windows web applications using IIS. This flaw, identified by Sush Galilee (IRSTL), allows attackers to obtain the first six characters of a file's name and the first three letters of its extension. For example, a file named config.xml would appear as confi.xm. The author explains that this vulnerability is often overlooked, even though it can reveal sensitive files such as backups, configurations, or source code. To exploit it, the tool Short Scan by Bit Cork is used to identify vulnerable IIS versions and list partially revealed files. A practical demonstration shows how to guess the full filename (e.g., API2023sourcecode.zip) by combining logical assumptions and tools like ffuf for fuzzing. A Python lab, replicating a Windows application's behavior, is provided for training. Successful exploitation can grant access to sensitive files, such as a config.py containing API credentials, and may lead to further vulnerabilities (e.g., file upload resulting in RCE). The lab is available on Hacking Hub for practice.