Penetration Testing mailing list archives

RE: Spidering

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 18 Jan 2008 11:58:45 -0800

This doesn't answer your question, but in regard to the validity of the technique, understand that an easy way to 
thwart these efforts (as far as IIS is concerned) is to edit your ISAPI extensions and have the ASP.DLL parse your 
.HTM(L) pages as well and just rename your .asp pages to .htm -- that way they will provide dynamic content the same 
way, but will have .htm extensions (in IIS7, you'll use a handler mappings) so that people will not (immediately) know 
they are dynamic pages by extention...

t

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of me me
Sent: Thursday, January 17, 2008 9:59 AM
To: pen-test () securityfocus com
Subject: Spidering

Hi All

One of the most important aspects of assessing a web application is
separating the dynamic code from the static HTML. I tend to do this
though
spidering, and use a number of tools including Paros and a commercial
tool.

Basically, I like to know:

The names and places of the scripts
The variables they take
The Comments etc in HTML
Hidden form values

All the usual.

Whilst I don't expect it to get everything (JavaScript etc is going to
take
manual intervention, so is a number of other possible technologies), I
have
never really found a tool that I consider to be the defacto spidering
tool
from this perspective. One of the biggest problems is a lot of the
spiders
seem to choke on really big sites, or go into infinite loops  etc etc.

Has anyone got a reliable spider that they've used time and again (even
on
big sites) that they could recommend? Or are most people WGETing the
site
and then regex'ing the local mirror?

Thanks in advance

-----------------------------------------------------------------------
-
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
-----------------------------------------------------------------------
-

Current thread:

Spidering me me (Jan 18)
- RE: Spidering Thor (Hammer of God) (Jan 22)
- Re: Spidering Tonnerre Lombard (Jan 22)
  - RE: Spidering merigoth (Jan 23)
- <Possible follow-ups>
- RE: Spidering thomas chamberlain (Jan 23)
- Re: Re: Spidering metabolic_76 (Jan 23)