In my experience, .DS_Store is an essential line in your personal scanning lists. These days, exposed .DS_Store files can be rare, but it can be a useful string to use when trying to find hard-to-discover paths as well. Here’s a brief introduction to .DS_Store, and a recount of a time when it really paid off for me.

The .DS_Store file contains folder metadata for Mac users. These files are created automatically inside of archives, local folders, and even remotely mounted folders. More importantly, for us, these files can include file and folder names that we would have otherwise been unable to guess during normal directory bruteforcing techniques.

Luckily for us the format has been reversed engineered and you can use this simple one-liner or this Python-dsstore project to parse the file and read the contents. Additionally you can simply read the file with a text editor. You’ll just have to ignore the gibberish bits between the files/folders.

A quick grep of SeclLists’ Web-Discovery folder reveals that the file is included in all sizes of the file/word raft lists, quickhits.txt, and dirsearch.txt which are among the most popular pre-made bruteforce lists.

However, this file doesn’t always make into the pentester’s personal shortlists, which I believe is a mistake.

While bug hunting I came across a url that looked something like http://click.example.com/track?mktoTestLink that rendered a blank page HTML page with just the word Hello in the body. It appeared to be a tracking link where mktoTestLink would be replaced with the base64 encoded redirect url.

A cursory Google search showed only a few similar links and a handful of results for analyzed malware which contained similar links. Eventually, directory discovery with gobuster revealed a 404.html page on the subdomain. The page revealed nothing new except for an svg graphic of a bird. This bird graphic was hosted on another site which was traced back to Marketo, an Adobe owned marketing company.