WebApp Sec mailing list archives
RE: Website "Scanner"
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Fri, 10 Jan 2003 12:07:18 -0500
I disagree with "increase exponentially". Let's say you have a list of file name substitutions to try. Maybe something like #replace existing extension s/\.[^.]+$/.bak/ s/\.[^.]+$/.bkup/ s/\.[^.]+$/.old/ s/\.[^.]+$/.zip/ #intermediate extension s/\.([^.]+)$/.bak.\1/ s/\.([^.]+)$/.bkup.\1/ s/\.([^.]+)$/.old.\1/ #add to original extension s/$/.bak/ s/$/.bkup/ s/$/.old/ s/$/.zip/ #prepend possible backup directory names s/^/\/bkup/ s/^/\/backup/ s/^/\/old/ s/^/\/save/ And so on. If I have a spider, I am going to be making, for this list, 15 requests extra for each file I find. This is hardly an exponential increase. It is a factor of 15 increase. Furthermore, I can probably use HEAD or a 1-byte byte-range to keep the responses pretty small, so I'm consuming even as much bandwidth as the original page, and it probably would average out to about the same as requesting each page twice in terms of bytes received. I find, from reviewing several web server directory listings, there there very often seems to be one or two files like this, and if they are script files and the extension is at the end, a source disclosure vulnerability results. The other point is, even if it was an exponential time increase, there are some circumstances (when nothing else has worked for example) where I basically have all the time in the world (or until the testing window closes anyway). It's better to have a script banging it's head against the wall for you for a week than it is to give up and say "Welp, must not be vulnerable then". Phil
-----Original Message----- From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] Sent: Thursday, January 09, 2003 7:57 AM To: sullo () cirt net Cc: backed.up.by.2048.bit.encryption () hushmail com; webappsec () securityfocus com; vuln-dev () securityfocus com Subject: Re: Website "Scanner" sullo () cirt net wrote:Quoting backed.up.by.2048.bit.encryption () hushmail com:Is there anything out there like a port scanner but for websites, where it dictionary attacks the files. For example you plug in the domain:Not that I know of. The closest I can think of are twofunctions I havein Nikto, which can do two similar things currently: 1) guess Apache user names in a similar manner For example ~a ~aa etcWell, the user enumeration plugin could be trivially be modified to do a brute force attack of filenames too. The problem being, however, that the number of requests you are going to make are quite high (and increase exponentially). Maybe it would be better to try to first index the site (spider like), and then attempt to retrieve "mutated" filenames. For example, if you see index.html try: index.html.old, index.html.bak... Regards Javi
Current thread:
- Re: Website "Scanner", (continued)
- Re: Website "Scanner" Nelson Sampaio Araujo Junior (Jan 09)
- Re: Website "Scanner" Chris Wysopal (Jan 09)
- Re: Website "Scanner" Mary Landesman (Jan 21)
- Re: Website "Scanner" Dave Aitel (Jan 09)
- Re: Website "Scanner" Kevin Spett (Jan 11)
- Re: Website "Scanner" Nelson Sampaio Araujo Junior (Jan 09)
- RE: Website "Scanner" glyn (Jan 10)
- Re: Website "Scanner" Todd Charron (Jan 11)
- RE: Website "Scanner" Ian Griffiths (Jan 11)
- Re: Website "Scanner" Mike Shaw (Jan 21)