WebApp Sec mailing list archives
RE: Web App URL Scanner
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 14 Oct 2003 13:20:34 +0200
cat list | while read i ; do echo $i (echo "GET $i HTTP/1.0 " echo "Host: ${server}:${port}" echo ) nc -v ${server} ${port} | head -1 done | tee mylogfile Where: list is a file containing the list of URL's that you would like to test for $server is the name or IP address of the server under test (preferably the name) $port is the port on which the server is running (typically 80) mylogfile is a file to write the results into If the server is an SSL server, you can use openssl instead of netcat, with a command line like echo ) | openssl s_client -connect ${server}:${port} -ign_eof | head -1 in the appropriate place. How you build the list of paths is entirely up to you. It may be worth using a proxy tool such as WebScarab (http://www.owasp.org/development/webscarab) to get an idea of exactly what paths currently exist, so that you can construct your list more accurately. Eventually, I hope to build this kind of functionality into WebScarab, but it is not there yet. Rogan
-----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: 14 October 2003 04:35 AM To: webappsec () securityfocus com Subject: Web App URL Scanner All, I'm currently seeking some software that will test all possible URL's on an web application, much like a dictionary attack against a password. I could probably write it but I'd rather just download something if I can. I'd like to see if I'm able to discover URL's that aren't normally accessible. If anyone has ideas, I'd be grateful. Thanks, Ms. Jimi Thompson, CISSP
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- Web App URL Scanner Jimi Thompson (Oct 14)
- RE: Web App URL Scanner roshen.chandran (Oct 14)
- Re: Web App URL Scanner Jon Hart (Oct 14)
- RE: Web App URL Scanner Lluis Mora (Oct 17)
- RE: Web App URL Scanner Jimi Thompson (Oct 17)
- <Possible follow-ups>
- RE: Web App URL Scanner Mark Parter (Oct 14)
- RE: Web App URL Scanner Brian Pomeroy (Oct 14)
- RE: Web App URL Scanner Dawes, Rogan (ZA - Johannesburg) (Oct 14)