What it is
Brute-forced unlinked paths: hidden APIs, backups, configs, and panels that expand the attack surface. Two engines (ffuf and dirsearch) with different wordlists are run so fewer hidden paths are missed.
How attackers abuse it
Input reaches a system shell, so the attacker runs their own commands on your server. That means full server takeover: read any file, install malware, pivot to your other systems.
Attacker playbook
- 1Find a feature that runs a system command (ping, file conversion, export).
- 2Inject an extra command and confirm it runs via output or a measured time delay.
- 3Escalate to a full shell, then read secrets and move deeper into the network.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using ffuf, dirsearch and VibeSec native. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
If this is in your report: how to fix it
- Never pass user input to a shell. Use language APIs instead of shelling out.
- If you must call a program, use an argument array, not a single command string.
- Validate input against a strict allow-list and run with the least privilege possible.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free