StackShield

Directory Bruteforce Scan

Medium

Discovers hidden directories and files using dictionary-based brute forcing with Gobuster. Requires domain verification.

Estimated fix time: 20-30 minutes

What is Directory Bruteforce?

Gobuster and similar tools use dictionary-based brute forcing to discover hidden directories and files on web servers. They systematically request common file and directory names to find content not linked from the main application, such as backup files, admin panels, or configuration files.

Security Impact

Severity: High

  • Discovery of backup files containing sensitive data
  • Access to admin panels or internal tools
  • Exposure of configuration files
  • Discovery of development or staging endpoints
  • Access to unprotected API documentation

How to Fix

1. Remove Unnecessary Files from Public Directory

# Audit your public directory
ls -la public/

# Remove any files that shouldn't be publicly accessible
rm public/*.bak
rm public/*.old
rm public/*.sql
rm public/*.zip

2. Block Common Attack Patterns

# Nginx - block common bruteforce targets
location ~ \.(bak|old|sql|zip|tar|gz|log|env|ini|conf|swp)$ {
    deny all;
    return 404;
}

# Block hidden files
location ~ /\. {
    deny all;
    return 404;
}

# Block common admin paths if not used
location ~ ^/(admin|administrator|wp-admin|phpmyadmin|cpanel) {
    deny all;
    return 404;
}

3. Implement Rate Limiting

Slow down bruteforce attempts with rate limiting:

# Nginx - limit request rate
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;

server {
    location / {
        limit_req zone=general burst=20 nodelay;
    }
}

4. Use Laravel's Route Configuration

Ensure only defined routes respond:

// routes/web.php - Laravel automatically returns 404 for undefined routes
// Make sure you don't have catch-all routes that might serve unintended content

// Avoid this pattern unless intentional:
// Route::any('{any}', function() { ... })->where('any', '.*');

5. Set Proper File Permissions

# Restrict public directory permissions
find public/ -type f -exec chmod 644 {} \;
find public/ -type d -exec chmod 755 {} \;

# Ensure storage and bootstrap/cache are not web-accessible
chmod -R 775 storage/
chmod -R 775 bootstrap/cache/

6. Monitor and Alert on Bruteforce Attempts

// Detect bruteforce patterns in your logs
// Look for rapid 404 responses from the same IP
// Consider using fail2ban or similar tools

// fail2ban filter for Nginx
// /etc/fail2ban/filter.d/nginx-bruteforce.conf
// [Definition]
// failregex = ^<HOST> .* "(GET|POST|HEAD) .* HTTP/.*" 404

Verification

After applying these fixes, a Gobuster scan should find significantly fewer results. Critical files like backups, configs, and admin panels should return 404.

  • Directory & File Exposure
  • Sensitive Laravel Files
  • Exposed .env Files

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Exposed .env Files

Checks if .env files are publicly accessible.

Easy

Directory & File Exposure

Scans for publicly accessible sensitive files (logs, .git).

Easy

Sensitive Laravel Files

Checks for exposed sensitive Laravel files (.git, logs, config).

Easy