Penetration Testing mailing list archives

Re: spidering of webapps

From: "Andre Gironda" <andreg () gmail com>
Date: Fri, 3 Oct 2008 23:14:03 -0700

Burp Spider is the best option.  It is extremely powerful and can be
extended if necessary.  The balance between manual guiding (with forms
and authentication - especially when using the full Burp Suite and
passing information between panels) and automation is near perfect.

That being said, wget does support SSL and for mirroring it works
really, really well.  The --html-extension flag helps with CGI, PHP,
and other non-html file conversion, and the --convert-links makes it
easy to access the content locally for later inspection, potentially
automated.

Cheers,
Andre


On 10/3/08, natron <natron () invisibledenizen org> wrote:

The unfortunate fact of virtually all local proxies (Burp, Paros, etc)
is that while, yes, they can do spidering, they have no way to
save/export results!

HTTrack works, but it lacks on the analysis side, requiring you to do
a lot of manual reviews of the downloaded files.  I end up relying
mostly on Burp Suite and just tackling the application in small
sections and living with the fact that I can't document very well.

Does anyone have any better solutions?

N

On Wed, Oct 1, 2008 at 8:35 PM, Ivan . <ivanhec () gmail com> wrote:


Burp Suite
http://portswigger.net/suite/

Paros
http://www.parosproxy.org/download.shtml

just a smaple, plenty more out there

cheers
Ivan

On Thu, Oct 2, 2008 at 4:51 AM, <lister () lihim org> wrote:


Other than wget and HTTrack, what other means are you using to
spider/mirror websites?

How are you spidering through SSL?  OpenSSL wrapper such as stunnel?

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

spidering of webapps lister (Oct 01)
- RE: spidering of webapps Sol Invictus (Oct 02)
- Re: spidering of webapps kevin horvath (Oct 02)
  - Re: spidering of webapps Taufiq Ali (Oct 06)
  - Re: spidering of webapps david lodge (Oct 08)
- Re: spidering of webapps Ivan . (Oct 02)
  - Re: spidering of webapps natron (Oct 03)
    - Re: spidering of webapps Andre Gironda (Oct 05)