[WEB SECURITY] Directory discovering

Brtnik, Vojtech (NL - Amstelveen) VBrtnik at deloitte.nl
Fri May 6 05:02:58 EDT 2011

> From: Andre Gironda <andreg at gmail.com>
> Subject: Re: [WEB SECURITY] which is the best web application
>	vulnerability scanner
> JBrofuzz
> You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
> and admin-scan.py -- combine them (sort + uniq) -- and then run them
>  through a single-pane-of-glass tool like Burp Suite Professional (or
> Fiddler, et al) or a command-line tool such as dirb. This is a very
> common penetration-testing tactic.


this is an interesting approach, could you elaborate a bit more on it? 

1) what do you get out of using multiple tools? It occurs to me that running DirBuster (for instance) brings you to the frontier of what you can get out of a directory discovery test. It's all about having a good list of dirs/files. Thus running fuzzdb and JBroFuzz on the top of Dirbuster (or the other way around) seems to me a bit like wasting of time, which is indeed limited. In my cases, most of the times, Nikto discovers almost everything already and there is a very little need for an elaborate brute-forcing, but this could be only my limited experience.

2) What do you exactly mean by "run the list through a single-pane-of-glass tool like Burp"? What do you want to achieve by that? I'm using burp occasionally, but can't figure out which functionality you had in mind...

Best regards,

This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte: 
Deloitte Accountants B.V. is registered with the trade register in The Netherlands under number 24362853.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/nl/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

More information about the websecurity mailing list