Nmap Development mailing list archives
Re: Web App Scanner - GSoC 2009
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Sat, 28 Mar 2009 14:31:56 -0000 (UTC)
This sounds like it would make a couple good NSE scripts
I've attached a script of mine that only checks a few files and folders at the moment and would need to be expanded over time (especially for more advanced checks when the server returns 200 for non-existent files - although that might just be a "nice to have" - and identifying folders that allow directory listings), but I thought I'd share it and perhaps others will have some suggestions/improvements in mind. Here's some sample output: Interesting ports on aurora.apache.org (192.87.106.226): PORT STATE SERVICE 80/tcp open http | http-enum: /dev/ Possible development directory | /icons/ Icons directory | /images/ Images directory |_ /mail/ Mail directory Interesting ports on scanme.nmap.org (64.13.134.52): PORT STATE SERVICE 80/tcp open http |_ http-enum: /icons/ Icons directory Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254): PORT STATE SERVICE 80/tcp open http | http-enum: /beta/ Beta directory (Access Forbidden) | /data/ Data directory (Access Forbidden) |_ /test/ Test directory (Access Forbidden) Interesting ports on xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx): PORT STATE SERVICE 443/tcp open https |_ http-enum: /webmail/ Webmail directory I've used quite a few web application tools over the last few years and I'm not sure that a command line tool like Nmap would be the best place to add some of the suggested functionality. Tools like Nikto certainly have their use, and perhaps we can produce a similar NSE script so Nmap can match most of the functionality (and possibly licence CIRT's database?); but for "serious" web application testing I'd personally want a dedicated tool that lets me do things like script logins, complete forms interactively in a browser, can follow JavaScript links, test sites that use multiple servers/subdomains, lets me manually crawl a website in a browser, doesn't produce too many false positives, and (most importantly) lets me see the request and response when I'm writing a report. Being able to compare the results against some form of vulnerability database sounds good, but medium-large sites often return several gigabytes worth of traffic and this might not be healthy for Nmap (or the host) to hold in memory and could be tricky to store into XML files etc. (other tools I've used will typically store data in some form of SQL databases). A separate tool, similar to how Zenmap/Ncat has been developed by Nmap developers, might be better so results can be managed with a GUI and data stored in a database, rather than trying to extend Nmap. Rob
Attachment:
http-enum.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Web App Scanner - GSoC 2009 João (Mar 27)
- Re: Web App Scanner - GSoC 2009 Patrick Donnelly (Mar 27)
- Re: Web App Scanner - GSoC 2009 Fyodor (Mar 29)
- Re: Web App Scanner - GSoC 2009 João (Mar 31)
- <Possible follow-ups>
- Re: Web App Scanner - GSoC 2009 Rob Nicholls (Mar 28)
- Re: Web App Scanner - GSoC 2009 João (Mar 28)
- Re: Web App Scanner - GSoC 2009 Fyodor (Mar 30)