Jon, On Fri, Jul 10, 2009 at 8:29 AM, Andres Riancho<andres.rian...@gmail.com> wrote: > Jon, > > On Wed, Jul 8, 2009 at 1:14 PM, jrose<jr...@owasp.org> wrote: >> Hey Achim and Andres, >> >> I wrote this simple directory bruteforcing plugin awhile back and have been >> using it with my local w3af install. It may not be as great as dirbuster or >> some other dedicated directory bruteforcing tools, but it something I wanted >> so I wrote it, feel free to include it or not. I figured I should at least >> send it out to the list in case anyone else thought it was useful. > > I just commited a slightly modified version of your directory > bruteforcer to the trunk [0]. If you ever feel like changing anything, > please use that version as a base. > > For what I can tell from my tests, the plugin is working ok, but has > some problems with 404 detection. The thing is that the 404 detection > in w3af was not developed with directory bruteforcing in mind, so the > result is that you get two HTTP requests for every directory: > > [ Fri Jul 10 10:27:27 2009 - debug ] GET http://localhost/poll/ > returned HTTP code "404" - id: 960 > [ Fri Jul 10 10:27:27 2009 - debug ] keepalive: The connection manager > has 1 active connections. > [ Fri Jul 10 10:27:27 2009 - debug ] GET > http://localhost/poll/LWgDeXG4 returned HTTP code "404" - id: 961 > [ Fri Jul 10 10:27:27 2009 - debug ] No grep for : > http://localhost/poll/LWgDeXG4 , the plugin sent grepResult=False. > [ Fri Jul 10 10:27:27 2009 - debug ] http://localhost/poll/ is a 404 > (_byDirectoryAndExtension). 1.0 > 0.72 > > This is great if you think about reducing false positives, but it's > awful in performance! I think that the directory bruteforcer plugin > should have a customized 404 detection, and not the default w3af 404 > detection. What do you guys think?
I just fixed this problem, I can't commit the code right now, but I'll do it on Monday. Cheers, > [0] http://w3af.svn.sourceforge.net/viewvc/w3af?view=rev&revision=2942 > > Cheers, >> Thanks, >> Jon >> >> >> >> >> >> >> >> On Jun 11, 2009, at 5:06 PM, Achim Hoffmann wrote: >> >>> Hi Andres, Jon, >>> >>> >>> On Thu, 11 Jun 2009, jrose wrote: >>> >>> !! Hey Andres, >>> !! I was thinking just a small or medium sized list, using an external >>> file. >>> >>> a "small" file (~60.000) is provided by jbruzz. >>> dirbuster (with which this thread started) has huge files (>2^30). >>> >>>> If a user wants to >>> >>> !! supply their own wordlist, such as the dirbuster list, its up to them. >>> >>> dirbuster can do that already. >>> >>> !! This would keep the >>> !! download size manageable with the flexibility to use any list you want. >>> >>> !! I'll take a shot at >>> !! writing this plugin and email it out to the list when I'm done. >>> >>> I'll just jump into this thread as I've done some research about file/dir >>> bruteforcing/fuzzing last couple of years. This includes public domain >>> tools >>> (jbruzz, dirbuster, wikto) as well as comercial tools (AppScan, >>> WebInspect, >>> Acunetix). They all suck in this area, unfortunatelly :-( >>> The reasons are different, just some: >>> - lists are too small >>> - lists are too huge >>> - lists contain mainly useless test for professional apps >>> - lists are not customizable >>> - tools are too stupid >>> - and so on ... >>> Looking at the tools, we see that the comercial ones try to do the tests >>> with some "sophisticated" selections of the lists (depending on OS, or >>> application), but they lack to tell us *what* they test. >>> On the other side the oppen source tools test everything, even your own >>> lists, but they lack customization (except providing your own list). >>> >>> What you needd in all-day-testing (my experiance) is a combination of >>> both aproaches: customizable and some kind of automaitic detection. >>> >>> 2 Examples for sophisticated selection: >>> - if IIS is detected, we need special path traversal >>> - if OS is not windows any \ in paths are useless >>> You see, this selection can be complicated and is not easy to compute. >>> That's probably why all tools give your either a very limited result, >>> or your wait some week 'til they finished (see dirbuster). >>> >>> ---- >>> If someone really want's to write such a plugin, keep these problems >>> in mind. The biggest challange is to make a sophisticated list, the >>> test itself is very simple. >>> Writing YAB -yet another brutforcing- plugin is wasting time due to >>> reenventing the wheel, probably makeing the same mistakes ... >>> >>> Sorry, for damping your enthusiasm, but I think a plugin which does >>> the same work as other tools is not a good idea. >>> >>> If someone has a good idea to make the world go round here, count me >>> in, I guess I've some more hints somewhere in the lost areas of my brain. >>> >>> Cheers >>> Achim >>> ------------------------------------------------------------------------------ >>> Crystal Reports - New Free Runtime and 30 Day Trial >>> Check out the new simplified licensing option that enables unlimited >>> royalty-free distribution of the report engine for externally facing >>> server and web deployment. >>> http://p.sf.net/sfu/businessobjects >> >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
