Directory Brute-Forcing and Artifact Exposure: Qualitative insight into Underestimated Threats to Web Application Security

Authors

  • Aminu Muhammad Auwal Faculty of Natural Sciences, University of Jos, Plateau State, Nigeria

DOI:

https://doi.org/10.70112/ajeat-2025.14.1.4296

Keywords:

Web Application Security, Directory Brute-Forcing, Exposed Artifacts, Devsecops, Deployment Pipelines

Abstract

Web applications increasingly face threats not only from sophisticated exploits but also from basic oversights such as misconfigured directories and exposed development artifacts. This study explores the awareness and mitigation strategies of developers, DevOps engineers, and system administrators regarding vulnerabilities arising from directory brute-forcing and the exposure of sensitive files, including. git/,. env, and .bash_history. Using a qualitative approach, data were collected through semi-structured interviews with 11 IT professionals across different sectors in Nigeria, where the rise of small- and medium-scale web deployments has amplified security risks. The findings reveal a concerning inconsistency in mitigation strategies, even among technically proficient participants. While some employ directory restrictions and CI/CD security checks, others rely on ad hoc, manual practices. Most participants were aware of the risks posed by exposed artifacts; however, only a few incorporated automated tools or vulnerability scanners into their deployment pipelines. Notably, a gap persists between theoretical knowledge and operational execution, leaving systems vulnerable to reconnaissance and chained attacks. This study highlights the need for stronger DevSecOps integration, improved developer hygiene practices, and automated security enforcement within web deployment workflows. The results underscore a critical call to action for organizations and individual professionals to revisit their deployment pipelines and invest in proactive security measures that extend beyond basic configuration.

References

[1] M. Bach-Nutman, “Understanding the top 10 OWASP vulnerabilities,” arXiv, 2020, doi: 10.48550/arxiv.2012.09960.

[2] O. Ezenwoye and Y. Liu, “Web application weakness ontology based on vulnerability data,” arXiv, 2022, doi: 10.48550/arxiv.2209.08067.

[3] C. S. Cheah and V. Selvarajah, “A review of common web application breaching techniques (SQLI, XSS, CSRF),” Atlantis Highlights in Computer Sciences, 2021, doi: 10.2991/ahis.k.210913.068.

[4] N. Suguna, “Hunting pernicious attacks in web applications with XProber,” American Journal of Applied Sciences, vol. 11, no. 7, pp. 1164–1171, 2014, doi: 10.3844/ajassp.2014.1164.1171.

[5] B. Zhang, J. Li, J. Ren, and G. Huang, “Efficiency and effectiveness of web application vulnerability detection approaches: A review,” ACM Computing Surveys, vol. 54, 2021, doi: 10.1145/3474553.

[6] N. Singh, P. Gupta, V. Singh, and R. Ranjan, “Attacks on vulnerable web applications,” in Proc. 2021 Int. Conf. Intelligent Technologies (CONIT), pp. 1–5, 2021, doi: 10.1109/CONIT51480.2021.9498396.

[7] D. Dommeti and P. Voola, “Identifying and mitigating common web application vulnerabilities,” South Asian Journal of Engineering and Technology, 2023, doi: 10.26524/sajet.2023.13.9.

[8] A. Kalim, C. Jha, D. Singh, D. Tomar, and D. Tomar, “A framework for web application vulnerability detection,” International Journal of Engineering and Advanced Technology, 2020, doi: 10.35940/ijeat.c 4778.029320.

[9] N. Farras, J. Loderick, H. Saputri, and A. Sari, “Exploring penetration testing: A comparative analysis of brute force directory tools in vulnerability analysis phase,” in Proc. 2024 2nd Int. Conf. Technology Innovation and Its Applications (ICTIIA), pp. 1–6, 2024, doi: 10.1109/ICTIIA61827.2024.10761451.

[10] D. Antonelli, R. Cascella, A. Schiano, G. Perrone, and S. P. Romano, “‘Dirclustering’: A semantic clustering approach to optimize website structure discovery during penetration testing,” Journal of Computer Virology and Hacking Techniques, vol. 20, no. 4, pp. 565–577, 2024, doi: 10.1007/s11416-024-00512-6.

[11] V. Aggarwal et al., “A comparative study of directory fuzzing tools,” in Proc. 2023 Int. Conf. Circuit Power and Comput. Technol. (ICCPCT), Kollam, India, pp. 1368–1374, 2023, doi: 10.1109/ICCP CT58313.2023.10245217.

[12] D. Antonelli, R. Cascella, G. Perrone, S. Romano, and A. Schiano, “Leveraging AI to optimize website structure discovery during penetration testing,” arXiv preprint, 2021, doi: 10.1007/s11416-024-00512-6.

[13] A. Castagnaro, M. Conti, and L. Pajola, “Offensive AI: Enhancing directory brute-forcing attack with the use of language models,” arXiv, 2024, doi: 10.48550/arxiv.2404.14138.

[14] C. Dietrich, K. Krombholz, K. Borgolte, and T. Fiebig, “Investigating system operators’ perspective on security misconfigurations,” in Proc. 2022 ACM SIGSAC Conf. Computer and Communications Security, pp. 1272–1289, Oct. 2018, doi: 10.1145/3243734.3243794.

[15] M. Hasan, F. Z. Rozony, M. Kamruzzaman, and M. K. S. Uddin, “Common cybersecurity vulnerabilities: Software bugs, weak passwords, misconfigurations, social engineering,” Deleted Journal, vol. 3, no. 4, pp. 42–57, Aug. 2024, doi: 10.62304/jieet.v3i04.193.

[16] S. K. Basak, L. Neil, B. Reaves, and L. Williams, “What are the practices for secret management in software artifacts?” Sage Journals, pp. 69–76, Oct. 2022, doi: 10.1109/secdev53368.2022.00026.

[17] M. Akbar, S. Rafi, S. Hyrynsalmi, and A. Khan, “Towards people maturity for secure development and operations: A vision,” in Proc. 28th Int. Conf. Evaluation and Assessment in Software Engineering, 2024, doi: 10.1145/3661167.3661238.

[18] X. Ramaj, M. Sánchez-Gordón, R. Palacios, and V. Gkioulos, “Training and security awareness under the lens of practitioners: A DevSecOps perspective towards risk management,” in Lecture Notes in Computer Science, Springer, 2024, doi: 10.1007/978-3-031-61382-1_6.

[19] R. Rajapakse, M. Zahedi, M. Babar, and H. Shen, “Challenges and solutions when adopting DevSecOps: A systematic review,” Information and Software Technology, vol. 139, p. 106700, 2021, doi: 10.1016/j.infsof.2021.106700.

[20] R. Naidoo and N. Möller, “Building software applications securely with DevSecOps: A socio-technical perspective,” in Proc. European Conf. Cyber Warfare and Security, 2022, doi: 10.34190/eccws.21. 1.295.

[21] N. Tomas, J. Li, and H. Huang, “An empirical study on culture, automation, measurement, and sharing of DevSecOps,” in Proc. 2019 Int. Conf. Cyber Security and Protection of Digital Services, pp. 1–8, 2019, doi: 10.1109/CyberSecPODS.2019.8884935.

[22] A. Bararia and V. Choudhary, “Systematic review of common web-application vulnerabilities,” International Journal of Scientific Research in Engineering and Management, 2023, doi: 10.55041/ ijsrem17487.

[23] T. Kerr-Smith, S. Tirumala, and M. Andrews, “Assessing web application security through vulnerabilities in programming languages and environments,” in Proc. CITRENZ 2023 Conf., Auckland, pp. 27–29, 2024, doi: 10.34074/proc.240109.

[24] F. Lombardi and A. Fanton, “From DevOps to DevSecOps is not enough: CyberDevOps – an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline,” Software Quality Journal, vol. 31, pp. 619–654, 2023, doi: 10.1007/s11219-023-09619-3.

[25] F. Fadlalla and H. Elshoush, “Input validation vulnerabilities in web applications: Systematic review, classification, and analysis of the current state-of-the-art,” IEEE Access, vol. 11, pp. 40128–40161, 2023, doi: 10.1109/ACCESS.2023.3266385.

[26] V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative Research in Psychology, vol. 3, no. 2, pp. 77–101, Jan. 2006, doi: 10.1191/1478088706qp063oa.

[27] S. Jacques and R. Wright, “Intimacy with outlaws: The role of relational distance in recruiting, paying, and interviewing underworld research participants,” Journal of Research in Crime and Delinquency, vol. 45, no. 1, pp. 22–38, 2008, doi: 10.1177/0022427807309439.

[28] H. Yasar, “Experiment: Sizing exposed credentials in GitHub public repositories for CI/CD,” in Proc. 2018 IEEE Cyber security Development (SecDev), Cambridge, MA, USA, pp. 143–143, 2018, doi: 10.1109/SecDev.2018.00039.

[29] M. Malatji, “Industrial control systems cyber security: Back to basic cyber hygiene practices,” in Proc. 2022 Int. Conf. Electrical, Computer and Energy Technologies (ICECET), Prague, Czech Republic, pp. 1–7, 2022, doi: 10.1109/ICECET55527.2022.9872810.

[30] K. A. Y. Yaseen, “Importance of cybersecurity in the higher education sector 2022,” Asian Journal of Computer Science and Technology, vol. 11, no. 2, pp. 20–24, 2022, doi: 10.51983/ajcst-2022.11.2.3448.

[31] Y. Chen, F. M. Zahedi, A. Abbasi, and D. Dobolyi, “Trust calibration of automated security IT artifacts: A multi-domain study of phishing-website detection tools,” Information & Management, vol. 58, no. 1, p. 103394, 2020, doi: 10.1016/j.im.2020.103394.

[32] J. Tilbury and S. Flowerday, “Automation bias and complacency in security operation centers,” Computers, vol. 13, no. 7, p. 165, 2024, doi: 10.3390/computers13070165.

[33] M. S. Islam, M. Sajjad, M. M. Hasan, and M. S. I. Mazumder, “Phishing attack detecting system using DNS and IP filtering,” Asian Journal of Computer Science and Technology, vol. 12, no. 1, pp. 16–20, 2023, doi: 10.51983/ajcst-2023.12.1.3552.

[34] M. S. Khan, A. W. Khan, F. Khan, M. A. Khan, and T. K. Whangbo, “Critical challenges to adopt DevOps culture in software organizations: A systematic review,” IEEE Access, vol. 10, pp. 14339–14349, 2022, doi: 10.1109/access.2022.3145970.

[35] K. Khattak, F. Qayyum, S. S. A. Naqvi, A. Mehmood, and J. Kim, “A systematic framework for addressing critical challenges in adopting DevOps culture in software development: A PLS-SEM perspective,” IEEE Access, vol. 11, pp. 120137–120156, 2023, doi: 10.1109/access.2023.3325325.

[36]S. Ghobadi and L. Mathiassen, “Perceived barriers to effectiveknowledge sharing in agile software teams,” Information SystemsJournal, vol. 26, no. 2, pp. 95–125, 2014, doi: 10.1111/isj.12053.

[37]O. O. Blaise, I. Aaron, U. Alfred, and A. Amusa, “Evaluating theethical frameworks of information security professionals: Acomparative analysis,” Asian Journal of Computer Science andTechnology, vol. 13, no. 2, pp. 61–66, 2024, doi: 10.70112/ajcst-2024.13.2.4289.

[38]S. Ravichandran and K. L. N. Rao, “Design and development of anadvancing web information stockpiling for engraved ontology in usercontours,” Asian Journal of Computer Science and Technology, vol. 11, no. 2, pp. 11–15, 2022, doi: 10.51983/ajcst-2022.11.2.3379.

[39]A. M. Auwal and S. Lazarus, “Sociological and criminological research of victimization issues: Preliminary stage and new sphere of cybercrime categorization,” Journal of Digital Technology & Law, vol. 2, no. 4, pp. 915–942, 2024, doi: 10.21202/jdtl.2024.44.

Downloads

Published

17-04-2025

How to Cite

Muhammad Auwal, A. (2025). Directory Brute-Forcing and Artifact Exposure: Qualitative insight into Underestimated Threats to Web Application Security. Asian Journal of Engineering and Applied Technology, 14(1), 24–32. https://doi.org/10.70112/ajeat-2025.14.1.4296

Issue

Vol. 14 No. 1 (2025): January-June 2025

Section

Articles

License

Copyright (c) 2025 Centre for Research and Innovation

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Similar Articles

1 2 3 4 5 6 7 8 > >> 

You may also start an advanced similarity search for this article.