[WEB SECURITY] Directory discovering

Adam Muntner unix23 at gmail.com
Fri May 6 18:27:20 EDT 2011


Fuzzdb takes a different approach:

1. Marrying the excellent Skipfish wordlist with collections of extensions
(every known compressed file extension, common file extensions, a ton of
backup file extensions, etc) and prefixes (variations of copy_of_ etc) for
targeted or super-bruteforce fuzzing
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FFilenameBruteforce

2. Lists of predictable resources, sorted by server type (IIS, tomcat,
glassfish, etc), common apps (sharepoint, sap, cms and themes, etc), and
lots of other stuff.
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FPredictableRes

Any HTTP 4xx status code other than 404 warrants investigation, as does any
5xx code.

Ultimately, if you're testing, find something interesting, and dont have a
good fuzzfile for it, you should be doing some research and making your own
fuzzfiles. This can take the form of downloading oss software or commercial
evaluation versions, or lacking that, mining tech support websites and docs
for paths, or google dorking. Examples: Not long ago, I found the admin
interface for a commercial product deployed on a client's box  with no
easily obtainable eval, thanks to a screenshot in their documentation, which
was available. Some of the predictable resource lists in fuzzdb were created
by google forming +"index of /" etc.

Be creative, it will pay off...

-a

On May 6, 2011 12:42 PM, "Andre Gironda" <andreg at gmail.com> wrote:

On Fri, May 6, 2011 at 2:02 AM, Brtnik, Vojtech (NL - Amstelveen)
<VBrtnik at deloitte.nl> wrote:
> thi...
Here is similar work, with explanations, done by Mavituna Security:
http://www.mavitunasecurity.com/blog/svn-digger-better-lists-for-forced-browsing/


> 1) what do you get out of using multiple tools? It occurs to me that
running DirBuster (for insta...
I like all of those tools and their concepts. It is tricky trying to
get the results from them without running them in parallel or
serially. I instead suggest to somehow combine their capabilities,
perhaps by writing your own tool that incorporates all of their
capabilities and concepts.


> 2) What do you exactly mean by "run the list through a
single-pane-of-glass tool like Burp"? What...
Burp provides me simplicity and ease of use, as well as familiarity. I
was thinking of importing the list as an Intruder payload set and
configuring a fuzzing position on a single insertion point, such as
the final "/" in http://www.site.com/

-Andre


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110506/45a3a0c5/attachment-0003.html>


More information about the websecurity mailing list