Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Directory discovering

BV
Brtnik, Vojtech (NL - Amstelveen)
Fri, May 6, 2011 9:02 AM

From: Andre Gironda andreg@gmail.com
Subject: Re: [WEB SECURITY] which is the best web application
vulnerability scanner
JBrofuzz
You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
and admin-scan.py -- combine them (sort + uniq) -- and then run them
through a single-pane-of-glass tool like Burp Suite Professional (or
Fiddler, et al) or a command-line tool such as dirb. This is a very
common penetration-testing tactic.

Hi,

this is an interesting approach, could you elaborate a bit more on it?

  1. what do you get out of using multiple tools? It occurs to me that running DirBuster (for instance) brings you to the frontier of what you can get out of a directory discovery test. It's all about having a good list of dirs/files. Thus running fuzzdb and JBroFuzz on the top of Dirbuster (or the other way around) seems to me a bit like wasting of time, which is indeed limited. In my cases, most of the times, Nikto discovers almost everything already and there is a very little need for an elaborate brute-forcing, but this could be only my limited experience.

  2. What do you exactly mean by "run the list through a single-pane-of-glass tool like Burp"? What do you want to achieve by that? I'm using burp occasionally, but can't figure out which functionality you had in mind...

Best regards,
PJ

This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www.deloitte.com/nl/disclaimer
Deloitte Accountants B.V. is registered with the trade register in The Netherlands under number 24362853.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/nl/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

> From: Andre Gironda <andreg@gmail.com> > Subject: Re: [WEB SECURITY] which is the best web application > vulnerability scanner > JBrofuzz > You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster, > and admin-scan.py -- combine them (sort + uniq) -- and then run them > through a single-pane-of-glass tool like Burp Suite Professional (or > Fiddler, et al) or a command-line tool such as dirb. This is a very > common penetration-testing tactic. Hi, this is an interesting approach, could you elaborate a bit more on it? 1) what do you get out of using multiple tools? It occurs to me that running DirBuster (for instance) brings you to the frontier of what you can get out of a directory discovery test. It's all about having a good list of dirs/files. Thus running fuzzdb and JBroFuzz on the top of Dirbuster (or the other way around) seems to me a bit like wasting of time, which is indeed limited. In my cases, most of the times, Nikto discovers almost everything already and there is a very little need for an elaborate brute-forcing, but this could be only my limited experience. 2) What do you exactly mean by "run the list through a single-pane-of-glass tool like Burp"? What do you want to achieve by that? I'm using burp occasionally, but can't figure out which functionality you had in mind... Best regards, PJ --------------------------------------------------------------------------------- This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte: http://www.deloitte.com/nl/disclaimer Deloitte Accountants B.V. is registered with the trade register in The Netherlands under number 24362853. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/nl/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
AG
Andre Gironda
Fri, May 6, 2011 4:23 PM

On Fri, May 6, 2011 at 2:02 AM, Brtnik, Vojtech (NL - Amstelveen)
VBrtnik@deloitte.nl wrote:

this is an interesting approach, could you elaborate a bit more on it?

Here is similar work, with explanations, done by Mavituna Security:
http://www.mavitunasecurity.com/blog/svn-digger-better-lists-for-forced-browsing/

  1. what do you get out of using multiple tools? It occurs to me that running DirBuster (for instance) brings you to the frontier of what you can get out of a directory discovery test. It's all about having a good list of dirs/files. Thus running fuzzdb and JBroFuzz on the top of Dirbuster (or the other way around) seems to me a bit like wasting of time, which is indeed limited. In my cases, most of the times, Nikto discovers almost everything already and there is a very little need for an elaborate brute-forcing, but this could be only my limited experience.

I like all of those tools and their concepts. It is tricky trying to
get the results from them without running them in parallel or
serially. I instead suggest to somehow combine their capabilities,
perhaps by writing your own tool that incorporates all of their
capabilities and concepts.

  1. What do you exactly mean by "run the list through a single-pane-of-glass tool like Burp"? What do you want to achieve by that? I'm using burp occasionally, but can't figure out which functionality you had in mind...

Burp provides me simplicity and ease of use, as well as familiarity. I
was thinking of importing the list as an Intruder payload set and
configuring a fuzzing position on a single insertion point, such as
the final "/" in http://www.site.com/

-Andre

On Fri, May 6, 2011 at 2:02 AM, Brtnik, Vojtech (NL - Amstelveen) <VBrtnik@deloitte.nl> wrote: > this is an interesting approach, could you elaborate a bit more on it? Here is similar work, with explanations, done by Mavituna Security: http://www.mavitunasecurity.com/blog/svn-digger-better-lists-for-forced-browsing/ > 1) what do you get out of using multiple tools? It occurs to me that running DirBuster (for instance) brings you to the frontier of what you can get out of a directory discovery test. It's all about having a good list of dirs/files. Thus running fuzzdb and JBroFuzz on the top of Dirbuster (or the other way around) seems to me a bit like wasting of time, which is indeed limited. In my cases, most of the times, Nikto discovers almost everything already and there is a very little need for an elaborate brute-forcing, but this could be only my limited experience. I like all of those tools and their concepts. It is tricky trying to get the results from them without running them in parallel or serially. I instead suggest to somehow combine their capabilities, perhaps by writing your own tool that incorporates all of their capabilities and concepts. > 2) What do you exactly mean by "run the list through a single-pane-of-glass tool like Burp"? What do you want to achieve by that? I'm using burp occasionally, but can't figure out which functionality you had in mind... Burp provides me simplicity and ease of use, as well as familiarity. I was thinking of importing the list as an Intruder payload set and configuring a fuzzing position on a single insertion point, such as the final "/" in http://www.site.com/ -Andre
Empathy v1.0   2024 ©Harmonylists.com