Michele Di Bonaventura Relatore

Penetration Tester by day Web Security Researcher by night In love with web (In)Security
  • IIS Tilde Enumeration: an evergreen vulnerability IIS Tilde Enumeration is a security misconfiguration that allows enumeration of filenames and directories on IIS web servers, through which an attacker can access files that a sysadmin would consider "well-hidden". It is a vulnerability covered with mystery: despite more than 10 years having passed since its public disclosure it is still a common and widespread issue, and yet very unfamiliar to most people. In this talk we're going to delve deeper into this evergreen vulnerability by exploring its history to uncover the reasons behind the issue, examining the logic behind it to understand how it works, and by showing its full exploitation process through the study of a real-case scenario found in December 2021 on "portswigger.net" as an example. - 10:45/11:30, 10 Jun 2023