As an ethical hacker trying to exploit loopholes in web application running on IIS that this file is good to know and contains a lot of useful information
"C:\Windows\System32\inetsrv\config\applicationHost.config"
This file contains a lot of general IIS settings and therefore knowing the contents of the file is very useful when trying to run a custom exploit.
During an attempt to find an exploit I kept getting IIS exceptions because I was attempting to access some “special” files such as configuration files and code files. So if you are attempting to find “special” files for the a web application running on IIS the above file contains two sections that you want to familiarize yourself with called
- /configuration/configSections/security/requestFiltering/fileExtensions
- /configuration/configSections/security/requestFiltering/hiddenSegments
The first section contains a list of file extensions that are not allowed to be served by IIS and therefore their contents can be hard to extract. So no matter how badly the web application is written IIS will still block these common interesting files. So you need to work your way around this blocks I.e. by looking for code files that have been given unusual extensions or other non-default file types. But you can also use it as a map of which files are considered interesting, so if you find some exploit, then these files would be a good source of interesting information.
The second section is also interesting to know, so when looking for interesting files you need to navigate around these paths, and again look for files that are not placed according to best practice. And also if you find an exploit these places are interesting places to look at.
For developers you should also know this information and ensure that you follow best practice so IIS will provide you with basic support.