You have written a Python enumeration script that uses the requests library to iterate through a wordlist of common folder names (for example, admin, backup, logs). The target web server has directory listing explicitly disabled (Options -Indexes), so visiting https://example.com/backup/ in a browser shows a 403 Forbidden page rather than a file list. Despite this, your script successfully flags /backup/ as an existing directory.
Which statement best explains why your Python requests script can still discover the directory?
It analyzes the HTTP status codes for each guessed path and treats non-404 responses as evidence that the path exists.
Directory listing restrictions apply only to web browsers; API clients such as requests are exempt.
The requests library bypasses server permissions by opening a raw TCP socket before HTTP negotiation.
requests automatically queries certificate-transparency logs to enumerate private directories.
The script does not need the server to reveal a directory index. By comparing the HTTP status codes (or other response characteristics) received for guessed paths against those for clearly invalid paths, the script can infer whether a directory exists. This technique-often called forced browsing or directory brute-forcing-works even when directory listing is disabled. The requests library itself cannot bypass server permissions; it only automates and analyzes individual HTTP requests. The other options describe actions that would not reveal the directory under normal server configuration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Python requests library used for?
Open an interactive chat with Bash
What techniques are typically used to discover hidden directories on a server?
Open an interactive chat with Bash
How can directory listing be disabled on a server?