Nmap Development mailing list archives

Web App Scanner - GSoC 2009

From: João <3rd.box () gmail com>
Date: Sat, 28 Mar 2009 02:15:17 -0300

Hey there everyone,

My name is João and I'm also a GSoC 2009 aspirant. In 2008 I've helped
OSSIM Project in Google Summer of Code and, this year, I'm interested
in a idea I had that I think would be nice.

I've already sent this idea to umit's dev mail list.

The idea is developing a Web app scanner. Before scanning a host and
finding a web server running on it, it would be very interesting that
you could have a way to discover which applications are running in
this web server. I mean, we could scan for installations of wordpress,
php-myadmin, wikis, web-repos, webmin, OSSIM server, webmail services,
and many other applications. There is also the possibility of using
dns tools to discover which domains are assigned to the address and
try to identificate which are the services running on these domains.
We can also implement a common dir scanner, like trying to find
addresses like 'www.domain.com/admin', 'www.domain.com/adm',
'www.domain.com/config', and many others very usual paths. Another
issue would be trying to search through virtual domains, like
'admin.domain.com', 'mail.domain.com', 'phpmyadmin.domain.com'... and,
again, many others.

After performing the full web app scanning, we could use the results
and search for matchs on a vulnerability database. I think that the
integration of both ideas (the web app scanner and vuln database)
could be developed as one GSoC project.

I am a little experienced with network and program security. In 2008
I've reported OSSIM about a critical vulnerability on its server (a
persistent xss that could lead to user inclusion). I am also
experienced with web development and I have some skills with web
pentesting. I would be very glad if I could help you guys.

I really would appreciate some feedback. My irc nick is lvwr.

cheers,
João

-- 

lvwr
blog.livewire.com.br

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Web App Scanner - GSoC 2009 João (Mar 27)
- Re: Web App Scanner - GSoC 2009 Patrick Donnelly (Mar 27)
- Re: Web App Scanner - GSoC 2009 Fyodor (Mar 29)
  - Re: Web App Scanner - GSoC 2009 João (Mar 31)
- <Possible follow-ups>
- Re: Web App Scanner - GSoC 2009 Rob Nicholls (Mar 28)
  - Re: Web App Scanner - GSoC 2009 João (Mar 28)
  - Re: Web App Scanner - GSoC 2009 Fyodor (Mar 30)