Re: donloading jsp for pen-test

["arvind doraiswamy" <arvind.doraiswamy () gmail com>]

Hi Victor,
I don't think this is going to be possible unless you can find out
what directories the developers have stored the source of the
pages(the Html ones) in. Most probably those directories will be
hidden and not available by clicking links on the website. So unless
you can brute force and guess the name of the directories you won't be
able to get at the JSP's itself. For eg. All the HTML pages will be in
something like:
 http://www.abc.com/public while the jsp's would be in
http://www.abc.com/source/jsp ... Now unless you know that such a
directory structure exists in the first place you wont be able to
access it directly through a browser. You might want to try checking
if a robots.txt file exists. You may be able to enumerate more
directories from there.

Brute forcing directory structure through a quickly written piece of
code is an option as well but likely to be fruitless as mostly the
sources directory; even if you find it will have strong permissions
which'll prevent you from viewing content inside it.

Its my first post so I'm not sure the list ID is correct; so do post
it there if it doesnt appear :)

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------