FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-23-2009, 01:09 AM
Noah Slater
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote:
> I think that the description explains that the purpose is to find hidden
> directories on web servers, presumably either your own or other people's.

Why would you need to find directories on your own server?

--
Noah Slater, http://tumbolia.org/nslater


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 03:43 AM
Don Armstrong
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On Mon, 23 Feb 2009, Paul Wise wrote:
> On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson <ron.l.johnson@cox.net> wrote:
> > But what (besides web crawling) is the (legal) purpose of that? And why
> > does it need a word list?
>
> Presumably it is a useful tool as part of a security professional's
> penetration testing toolbox?

Testing for these sorts of issues is almost certainly best done from
the other side by examining configurations of "hidden but not password
protected directories" instead of trying to brute force them with
results limited by your wordlist and patience.

That said, it's not like there's anything in this piece of software
that is more than generating a set of urls and shoving them at HEAD or
curl or similar and trapping the results, so it seems kind of trivial
and ripe for an inclusion in a larger collection of penetration
testing tools unless it has a particular novel method of generating a
wordlist.

It'd also be best if this package didn't refer to invented terminology
like "forced browsing" and instead said what it actually does (return
the subset of HEAD requests that return 200 from a generated
wordlist).


Don Armstrong

--
But if, after all, we are on the wrong track, what then? Only
dissapointed human hopes, nothing more. And even if we perish, what
will it matter in the endless cycles of eternity?
-- Fridtjof Nansen _Farthest North_ p152

http://www.donarmstrong.com http://rzlab.ucr.edu


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 05:18 PM
Noah Slater
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On Mon, Feb 23, 2009 at 01:06:38PM +0100, Bjørn Mork wrote:
> Noah Slater <nslater@tumbolia.org> writes:
> > On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote:
> >> I think that the description explains that the purpose is to find hidden
> >> directories on web servers, presumably either your own or other people's.
> >
> > Why would you need to find directories on your own server?
>
> Why would you need to buy a gadget like http://www.keyringer.com/ ?

Because you can loose your keys.

How can you loose a directory on a machine you have access to?

--
Noah Slater, http://tumbolia.org/nslater


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 01:13 PM
Jon Dowland
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote:
> But what (besides web crawling) is the (legal) purpose of
> that? And why does it need a word list?

It seems to me that this tool is as open to abuse as nmap,
ping, wget, and several other apps we distribute.


--
Jon Dowland
 
Old 02-24-2009, 06:00 PM
Ron Johnson
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On 02/24/2009 08:13 AM, Jon Dowland wrote:

On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote:

But what (besides web crawling) is the (legal) purpose of
that? And why does it need a word list?


It seems to me that this tool is as open to abuse as nmap,
ping, wget, and several other apps we distribute.



The apps you specify have obvious non-abusive uses. What (besides
penetration testing) are such uses for w3bfukk0r?


(As Noah Slater pointed out, it's hard to lose a directory on your
own machine...)


--
Ron Johnson, Jr.
Jefferson LA USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 07:17 PM
Holger Levsen
 
Default Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

Hi,

On Dienstag, 24. Februar 2009, Ron Johnson wrote:
> The apps you specify have obvious non-abusive uses. What (besides
> penetration testing) are such uses for w3bfukk0r?

penetration testing is a useful use. you might even do it for others.

> (As Noah Slater pointed out, it's hard to lose a directory on your
> own machine...)

you can loose access to your machine...


regards,
Holger
 

Thread Tools




All times are GMT. The time now is 01:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org