[WEB SECURITY] Missed pages and the usefulness of "site maps" for web app vuln scanning
Rusty Johnson
rusty_johnson2 at yahoo.com
Mon Jan 18 14:42:09 EST 2010
Christian,
If you are interested in having the site owner provide you with a list of their resources (site map) you may consider using a tool k3r0s1n3 and I built called DirSnatch.
The tool is available at
http://code.google.com/p/dirsnatch/downloads/list
There is an executable version but if you feel more comfortable compiling the ruby source code yourself you can contact me at cktricky.blogspot.com for instructions.
Also, our other program "DirChex" allows you to upload the output of DirSnatch and request thru a proxy such as Burp to build a site map quickly.
http://code.google.com/p/dirchex/downloads/list
~cktricky
--- On Mon, 1/18/10, McCown, Christian M <c.mccown at intel.com> wrote:
From: McCown, Christian M <c.mccown at intel.com>
Subject: [WEB SECURITY] Missed pages and the usefulness of "site maps" for web app vuln scanning
To: "websecurity at webappsec.org" <websecurity at webappsec.org>
Date: Monday, January 18, 2010, 1:06 PM
When a web app vuln scanner crawls a website, there is the potential for some pages to be overlooked because there are no direct links to them from any pages in the crawled pages.
What other situations would prevent a web app vuln scanner from discovering pages.
What does the community think about the value of app owners / developers providing a site map or tree as part of the collateral documentation as entry points for scans?
Thanks
________
Chris McCown
Infosec Specialist
Intel Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100118/49060e3b/attachment.html>
More information about the websecurity
mailing list