Jon, On Wed, Jul 8, 2009 at 1:14 PM, jrose<jr...@owasp.org> wrote: > Hey Achim and Andres, > > I wrote this simple directory bruteforcing plugin awhile back and have been > using it with my local w3af install. It may not be as great as dirbuster or > some other dedicated directory bruteforcing tools, but it something I wanted > so I wrote it, feel free to include it or not. I figured I should at least > send it out to the list in case anyone else thought it was useful.
I just commited a slightly modified version of your directory bruteforcer to the trunk [0]. If you ever feel like changing anything, please use that version as a base. For what I can tell from my tests, the plugin is working ok, but has some problems with 404 detection. The thing is that the 404 detection in w3af was not developed with directory bruteforcing in mind, so the result is that you get two HTTP requests for every directory: [ Fri Jul 10 10:27:27 2009 - debug ] GET http://localhost/poll/ returned HTTP code "404" - id: 960 [ Fri Jul 10 10:27:27 2009 - debug ] keepalive: The connection manager has 1 active connections. [ Fri Jul 10 10:27:27 2009 - debug ] GET http://localhost/poll/LWgDeXG4 returned HTTP code "404" - id: 961 [ Fri Jul 10 10:27:27 2009 - debug ] No grep for : http://localhost/poll/LWgDeXG4 , the plugin sent grepResult=False. [ Fri Jul 10 10:27:27 2009 - debug ] http://localhost/poll/ is a 404 (_byDirectoryAndExtension). 1.0 > 0.72 This is great if you think about reducing false positives, but it's awful in performance! I think that the directory bruteforcer plugin should have a customized 404 detection, and not the default w3af 404 detection. What do you guys think? [0] http://w3af.svn.sourceforge.net/viewvc/w3af?view=rev&revision=2942 Cheers, > Thanks, > Jon > > > > > > > > On Jun 11, 2009, at 5:06 PM, Achim Hoffmann wrote: > >> Hi Andres, Jon, >> >> >> On Thu, 11 Jun 2009, jrose wrote: >> >> !! Hey Andres, >> !! I was thinking just a small or medium sized list, using an external >> file. >> >> a "small" file (~60.000) is provided by jbruzz. >> dirbuster (with which this thread started) has huge files (>2^30). >> >>> If a user wants to >> >> !! supply their own wordlist, such as the dirbuster list, its up to them. >> >> dirbuster can do that already. >> >> !! This would keep the >> !! download size manageable with the flexibility to use any list you want. >> >> !! I'll take a shot at >> !! writing this plugin and email it out to the list when I'm done. >> >> I'll just jump into this thread as I've done some research about file/dir >> bruteforcing/fuzzing last couple of years. This includes public domain >> tools >> (jbruzz, dirbuster, wikto) as well as comercial tools (AppScan, >> WebInspect, >> Acunetix). They all suck in this area, unfortunatelly :-( >> The reasons are different, just some: >> - lists are too small >> - lists are too huge >> - lists contain mainly useless test for professional apps >> - lists are not customizable >> - tools are too stupid >> - and so on ... >> Looking at the tools, we see that the comercial ones try to do the tests >> with some "sophisticated" selections of the lists (depending on OS, or >> application), but they lack to tell us *what* they test. >> On the other side the oppen source tools test everything, even your own >> lists, but they lack customization (except providing your own list). >> >> What you needd in all-day-testing (my experiance) is a combination of >> both aproaches: customizable and some kind of automaitic detection. >> >> 2 Examples for sophisticated selection: >> - if IIS is detected, we need special path traversal >> - if OS is not windows any \ in paths are useless >> You see, this selection can be complicated and is not easy to compute. >> That's probably why all tools give your either a very limited result, >> or your wait some week 'til they finished (see dirbuster). >> >> ---- >> If someone really want's to write such a plugin, keep these problems >> in mind. The biggest challange is to make a sophisticated list, the >> test itself is very simple. >> Writing YAB -yet another brutforcing- plugin is wasting time due to >> reenventing the wheel, probably makeing the same mistakes ... >> >> Sorry, for damping your enthusiasm, but I think a plugin which does >> the same work as other tools is not a good idea. >> >> If someone has a good idea to make the world go round here, count me >> in, I guess I've some more hints somewhere in the lost areas of my brain. >> >> Cheers >> Achim >> ------------------------------------------------------------------------------ >> Crystal Reports - New Free Runtime and 30 Day Trial >> Check out the new simplified licensing option that enables unlimited >> royalty-free distribution of the report engine for externally facing >> server and web deployment. >> http://p.sf.net/sfu/businessobjects > > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
