Nmap Development mailing list archives
Re: Web App Scanner - GSoC 2009
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 27 Mar 2009 23:41:15 -0600
On Fri, Mar 27, 2009 at 11:15 PM, João <3rd.box () gmail com> wrote:
Hey there everyone, My name is João and I'm also a GSoC 2009 aspirant. In 2008 I've helped OSSIM Project in Google Summer of Code and, this year, I'm interested in a idea I had that I think would be nice. I've already sent this idea to umit's dev mail list. The idea is developing a Web app scanner. Before scanning a host and finding a web server running on it, it would be very interesting that you could have a way to discover which applications are running in this web server. I mean, we could scan for installations of wordpress, php-myadmin, wikis, web-repos, webmin, OSSIM server, webmail services, and many other applications. There is also the possibility of using dns tools to discover which domains are assigned to the address and try to identificate which are the services running on these domains. We can also implement a common dir scanner, like trying to find addresses like 'www.domain.com/admin', 'www.domain.com/adm', 'www.domain.com/config', and many others very usual paths. Another issue would be trying to search through virtual domains, like 'admin.domain.com', 'mail.domain.com', 'phpmyadmin.domain.com'... and, again, many others. After performing the full web app scanning, we could use the results and search for matchs on a vulnerability database. I think that the integration of both ideas (the web app scanner and vuln database) could be developed as one GSoC project. I am a little experienced with network and program security. In 2008 I've reported OSSIM about a critical vulnerability on its server (a persistent xss that could lead to user inclusion). I am also experienced with web development and I have some skills with web pentesting. I would be very glad if I could help you guys. I really would appreciate some feedback. My irc nick is lvwr.
This sounds like it would make a couple good NSE scripts [1]. There is a lot of need for script writers for GSOC. [1] http://nmap.org/book/nse -- -Patrick Donnelly "One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say." -Will Durant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Web App Scanner - GSoC 2009 João (Mar 27)
- Re: Web App Scanner - GSoC 2009 Patrick Donnelly (Mar 27)
- Re: Web App Scanner - GSoC 2009 Fyodor (Mar 29)
- Re: Web App Scanner - GSoC 2009 João (Mar 31)
- <Possible follow-ups>
- Re: Web App Scanner - GSoC 2009 Rob Nicholls (Mar 28)
- Re: Web App Scanner - GSoC 2009 João (Mar 28)
- Re: Web App Scanner - GSoC 2009 Fyodor (Mar 30)