As sun Tzu Said “If you know the enemy and know yourself, you need not fear the result of a hundred battles” or as summary: know yourself and your enemy.  Knowing an enemy kinda creepy process but from penetration tester perspective it can be easy there is an old friend can help you to mapping your application during application tests.

When you create a new file on Windows based operation system, OS also generates  a short file name (windows shortname as known as 8.3 format) Detailed information can be found on the following link.

This only works when your file name is longer than 8 character. This feature still stands to stay compatible MS-DOS based or Windows 16 Bit programs. Because they may need to access these long name files.

If your application runs on windows based operating system with IIS web server it is highly possible to access sensitive information.

There is a great tool which is newly updated that you can test your web server. Solving this issue is very easy, you just need to work on registry. For more detail visit microsoft advisory.

Key:   HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Name:  NtfsDisable8dot3NameCreation 
Value:        1 

 

http://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
https://support.microsoft.com/en-us/kb/142982
https://github.com/irsdl/IIS-ShortName-Scanner
https://support.microsoft.com/en-us/kb/121007