test for directory scanning/reading vulnerabilities on website

Question

Lets just say I want to test the security of a server (http://www.testserver.com) for directory scanning/reading vulnerabilities.

I would normally try to search for a file say /etc/passwd (or something more interesting:)) by doing something like http://www.testserver.com/../../../../etc/passwd and see if it throws up anything.

Now this can get quite tedious if I dont know exactly how many dots and slashes I would have to go through to find this problem.

Is there any intelligent/automatic way to do this?

P.S. I dont know what the word is for this sort of test so if I've duplicated this question kindly indicate.

Answer 1

Usually when apache or something is configured correctly, it will not let you access anything above the root directory, defined by DocumentRoot in your apache config.

If you have the correct DocumentRoot set in your apache config, then there is no problem. Usually the default configuration is safe, but of course, you may have accidentally allowed access to other folders.