Re: Automatic web application security profiling



paros or burp would be your best guess for spidering the site looking
for post/get requests. If your going to do that you might as well
proxy through something running rat proxy to pick up any vulns
passively while spidering. Just a thought. It would also help you
indentifiy the potential vectors that require more effort to exploit.

Anthony Cicalla
On Wed, Sep 9, 2009 at 2:00 AM, Volker Tanger <vtlists@xxxxxxx> wrote:

Hi!

Am Sat, 5 Sep 2009 18:52:01 +0530
schrieb D Adusumalli <asndpp@xxxxxxxxx>:
Open source web proxies BURP, WebScarab have spidering ability.

On Thu, Jul 16, 2009 at 7:12 AM, John Beck<jbeck59@xxxxxxxxxxx> wrote:

I am about to start an application layer security assessment of a web
application and I am searching for a quick method of identifying "most"
of the inputs of a JSP/tomcat web application (remotely, without source
code access).

Burp, WebScarab et al. don't summarize form usage - if you have a
search form on each page, every single page will be listed as form.
:-/

Thus I wrote the "Thekla" spider for exactly this purpose
       http://www.wyae.de/software/thekla/

It consolidates all forms and their resulting action CGI interface as
well as parameter-laden URLs into neat text/CSV files.

I fyou use it, comments and suggestions are welcome.

Bye

Volker


--

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@xxxxxxx                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--
Anthony,

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------