[WEB SECURITY] [New Tool Announcement] inspath - Path Disclosure Finder

Tue Nov 2 17:33:30 EDT 2010

Hello Jacky!

It's very interesting and well known use of search engines' caches (which I
wrote about in my article "The true power of cache"). And I not only used it
many times to find interesting holes at web sites, such as FPDs and other
information leakages, but also saw many cases, when developers fixed FPDs
and other holes which I informed them, but the information was still left in
Google's cache for a while ;-). So fixing of information leakages can be not
so trivial, as admins of the sites can think.

> Ok, but how do I search such vulnerabilities that existed in long time
> ago?

Information leakages (FPDs and others) can be in snippet, in cache and in
both. So you can find such holes as current and not fixed, as old and fixed
(but which still can be useful, because part or even the whole data can be
still actual).

To find you need to make a search on arbitrary site at Google:
"site:victim.com" and look closely in snippets. You also can use advanced
queries for specific information leakages, like those which I wrote about
during last years in my series "Warning" Google hacking
(http://websecurity.com.ua/4271/) and other articles on this topic. If there
is some interesting leaked information in snippet, then copy it from
snippet, or if it's only part of this information, then go to cache of this
page to retrieve full leaked information.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Jacky Jack" <jacksonsmth698 at gmail.com>
To: "MustLive" <mustlive at websecurity.com.ua>
Sent: Monday, November 01, 2010 6:16 AM
Subject: Re: [WEB SECURITY] [New Tool Announcement] inspath - Path
Disclosure Finder

> Ok, but how do I search such vulnerabilities that existed in long time
> ago?
>
> When I use cache: in google,  it says
>
> This is Google's cache of http://www.yandex.ru/. It is a snapshot of
> the page as it appeared on 1 Nov 2010 03:21:58 GMT
>
>
>
> 2010/11/1 MustLive <mustlive at websecurity.com.ua>:
>> Hello Aung and participants of Mailing List.
>>
>> It's interesting tool. I'm prefer to find Full path disclosures manually
>> (as
>> any other vulnerabilities, because I don't use any scanners), but this
>> tool
>> can be useful for other people - as for web developers, as for security
>> researchers.
>>
>> The only automated tool for looking for FPD which I use (in addition to
>> manual searching) - it's Google ;-). With Google it's possible to find
>> even
>> fixed Full path disclosures - what was leaked once it'd be saved in cache
>> for a while. As I told about already in my article The true power of
>> cache
>> (http://www.webappsec.org/lists/websecurity/archive/2010-02/msg00024.html).
>>
>> So you can add such new feature into your tool - checking in Google's
>> cache
>> for existent or fixed FPD's for arbitrary domain.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> ----- Original Message ----- From: YGN Ethical Hacker Group
>> <lists at xxxxxxxx>
>> Subject: [WEB SECURITY] [New Tool Announcement] inspath - Path Disclosure
>> Finder
>> Date: Tue, 28 Sep 2010 12:16:49 +0800
>>
>>
>>> WHATA
>>>
>>> A tool that uses local source tree to make requests to the url and
>>> search for path inclusion error messages. It's ever a common problem
>>> in PHP web applications that we're hating to see for ever. We hope
>>> this tool triggers no path disclosure flaws any more.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates