Penetration Testing mailing list archives
Re: Automatic web application security profiling
From: Anthony Cicalla <anthony.cicalla () gmail com>
Date: Sat, 12 Sep 2009 03:16:46 -0700
paros or burp would be your best guess for spidering the site looking for post/get requests. If your going to do that you might as well proxy through something running rat proxy to pick up any vulns passively while spidering. Just a thought. It would also help you indentifiy the potential vectors that require more effort to exploit. Anthony Cicalla On Wed, Sep 9, 2009 at 2:00 AM, Volker Tanger <vtlists () wyae de> wrote:
Hi! Am Sat, 5 Sep 2009 18:52:01 +0530 schrieb D Adusumalli <asndpp () gmail com>:Open source web proxies BURP, WebScarab have spidering ability. On Thu, Jul 16, 2009 at 7:12 AM, John Beck<jbeck59 () hotmail com> wrote:I am about to start an application layer security assessment of a webapplication and I am searching for a quick method of identifying "most" of the inputs of a JSP/tomcat web application (remotely, without source code access).Burp, WebScarab et al. don't summarize form usage - if you have a search form on each page, every single page will be listed as form. :-/ Thus I wrote the "Thekla" spider for exactly this purpose http://www.wyae.de/software/thekla/ It consolidates all forms and their resulting action CGI interface as well as parameter-laden URLs into neat text/CSV files. I fyou use it, comments and suggestions are welcome. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Anthony, ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Automatic web application security profiling D Adusumalli (Sep 08)
- Re: Automatic web application security profiling Volker Tanger (Sep 09)
- Message not available
- Re: Automatic web application security profiling Meenal Mukadam (Sep 14)
- Message not available
- Re: Automatic web application security profiling Anthony Cicalla (Sep 14)
- Re: Automatic web application security profiling Volker Tanger (Sep 09)