Mutillidae

The vulnerability lies in how web pages are invoked on a web server. If an absolute path or direct referencing is used then it is possible to invoke pages on the server that a hacker has no business seeing.

When you log on to a web server, a session is created which is identified by a session ID. The session identifier can be a cookie. This cookie holds the session ID so that one can log in once for each session (From there on, the session is then passed on to various web pages one browses on that server).

IronGeek hosts a lot of good videos about testing web applications with Burp Suite. I tested these attacks out myself. Attacked Server: Mutillidae Test Page: Main Login Form Test Parameter: Username

As a web application penetration tester, when you find directory browsing enabled on a web server, you include it in your report, but you know subsequent exploitation might be a long shot depending on what information is actually exposed.