RE: Website "Scanner"

["Nelson Sampaio Araujo Junior" <nelson () lunenetworks com br>]

That answer seems simple to me: All sensitive data need to be protected
using a suitable protection method and NOT just rely on the lack of
knowledge of the URL to reach the document.

This can be a password, certificate, or any other method.

A simple sniffer can reveal the URL of a "protected" document using just
lack-knowledge approach.

- Nelson

-----Original Message-----
From: backed.up.by.2048.bit.encryption () hushmail com
[mailto:backed.up.by.2048.bit.encryption () hushmail com] 
Sent: Wednesday, January 08, 2003 12:54 PM
To: webappsec () securityfocus com
Cc: vuln-dev () securityfocus com


-----BEGIN PGP SIGNED MESSAGE-----

Is there anything out there like a port scanner but for websites, where
it dictionary attacks the files. For example you plug in the domain:

http://www.foo.com

and tries to find .html files (or other)

http://www.foo.com - index.html
                      ndex.html
                       dex.html
                        ex.html


......etc

where runs through numerous possibilities to hit on files on the server
(and even) directories).  If so, one could certainly hit on some
sensitive information, say where the administrator has been testing
something, or internal product infos etc.

If there is nothing out there like this, why not?


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wnUEARECADUFAj4cj18uHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
c2htYWlsLmNvbQAKCRDEHQGvBp4eRJLBAKCPZpeToNzqtkqKkaIROClm91qhXgCfe4Eo
/YwZbPRhApi54B5jewqOYCk=
=d2v7
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427