Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

To: debian-devel@lists.debian.org
Subject: Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
From: Don Armstrong <don@debian.org>
Date: Sun, 22 Feb 2009 20:43:21 -0800
Message-id: <[🔎] 20090223044321.GH22212@volo.donarmstrong.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] e13a36b30902221852i178fbd0bt8abbd15411556713@mail.gmail.com>
References: <[🔎] 20090222223953.13686.78836.reportbug@zeratul.quietplace.lan> <[🔎] 49A1E92C.1040600@cox.net> <[🔎] alpine.DEB.2.00.0902221717420.8049@vellum.laroia.net> <[🔎] 49A1FB8F.10807@cox.net> <[🔎] e13a36b30902221852i178fbd0bt8abbd15411556713@mail.gmail.com>

On Mon, 23 Feb 2009, Paul Wise wrote:
> On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson <ron.l.johnson@cox.net> wrote:
> > But what (besides web crawling) is the (legal) purpose of that?  And why
> > does it need a word list?
> 
> Presumably it is a useful tool as part of a security professional's
> penetration testing toolbox?

Testing for these sorts of issues is almost certainly best done from
the other side by examining configurations of "hidden but not password
protected directories" instead of trying to brute force them with
results limited by your wordlist and patience.

That said, it's not like there's anything in this piece of software
that is more than generating a set of urls and shoving them at HEAD or
curl or similar and trapping the results, so it seems kind of trivial
and ripe for an inclusion in a larger collection of penetration
testing tools unless it has a particular novel method of generating a
wordlist.

It'd also be best if this package didn't refer to invented terminology
like "forced browsing" and instead said what it actually does (return
the subset of HEAD requests that return 200 from a generated
wordlist).

Don Armstrong

-- 
But if, after all, we are on the wrong track, what then? Only
dissapointed human hopes, nothing more. And even if we perish, what
will it matter in the endless cycles of eternity?
 -- Fridtjof Nansen _Farthest North_ p152

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to:

Follow-Ups:
- Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Nico Golde <nico@ngolde.de>

References:
- Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Maximilian Gaß <mxey@cloudconnected.org>
- Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Asheesh Laroia <asheesh@asheesh.org>
- Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Next by Date: Re: ucf: Diversion of /u/b/ucf by etcgit
Previous by thread: Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Next by thread: Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
Index(es):
- Date
- Thread