TL;DR
- Turns out there’s an RFC standard web directory that I didn’t know about
- It could be useful for OSINT
- It’s not in most wordlists, so dirb/wfuzz/etc probably wont find it or it’s contents
- You can use this gist to dirbust /.well-known
Short post. I was browsing YouTube, as one does during the apocalypse, and I came across @LiveOverflow talking about his invention, the security.txt file within the RFC /.well-known directory on web servers. What is the /.well-known directory? According to Wikipedia: “It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host (“site-wide metadata”) before making a request.”
The files placed in the /.well-known directory are standardized and used to provide such information to the clients.
Why do we care, as researchers?
Because some of the information yielded these meta-data files can be useful for OSINT. The first example that comes to mind is within the /.well-known/security.txt file itself.
Contained with in it are the email addresses to contact in the event of identifying a vulnerability; If we’re lucky, the email address(es) provided will give us a sense of their email naming scheme and aid in future OSINT to build out potentially valid email addresses for phishing.
Wait, this isn’t already in dirb, wfuzz, or Kali?
When I first learned of /.well-known, I checked out dirbuster-ng and wfuzz to see if this was already covered in their wordlists – Nope. I also tried to find signs of it in the default Kali wordlists
…Nope.
It’s this fact that was most surprising to me. So I went out to find all the valid /.well-known/ URIs that I could and created a gist for them.
Link to list of .well-known URIs here
Add it to dirb and knock yourself out
