Re: Website "Scanner"

["Kevin Spett" <kspett () spidynamics com>]

Whisker, Metis, nikto (whisker-based) CGI scanners have open libraries that
would allow you to add these kinds of checks.

http://www.wiretrip.net/rfp/

If you're interested in a commerical solution, WebInspect does this also.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: <backed.up.by.2048.bit.encryption () hushmail com>
To: <webappsec () securityfocus com>
Cc: <vuln-dev () securityfocus com>
Sent: Wednesday, January 08, 2003 3:53 PM
Subject: Website "Scanner"


> -----BEGIN PGP SIGNED MESSAGE-----
>
> Is there anything out there like a port scanner but for websites, where it
dictionary attacks the files. For example you plug in the domain:
> http://www.foo.com
>
> and tries to find .html files (or other)
>
> http://www.foo.com - index.html
>                       ndex.html
>                        dex.html
>                         ex.html
>
>
> ......etc
>
> where runs through numerous possibilities to hit on files on the server
(and even) directories).  If so, one could certainly hit on some sensitive
information, say where the administrator has been testing something, or
internal product infos etc.
> If there is nothing out there like this, why not?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.2 (Java)
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wnUEARECADUFAj4cj18uHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
> c2htYWlsLmNvbQAKCRDEHQGvBp4eRJLBAKCPZpeToNzqtkqKkaIROClm91qhXgCfe4Eo
> /YwZbPRhApi54B5jewqOYCk=
> =d2v7
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427