On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote:
> I think that the description explains that the purpose is to find hidden
> directories on web servers, presumably either your own or other people's.
Why would you need to find directories on your own server?
--
Noah Slater, http://tumbolia.org/nslater
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Mon, 23 Feb 2009, Paul Wise wrote:
> On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson <ron.l.johnson@cox.net> wrote:
> > But what (besides web crawling) is the (legal) purpose of that? And why
> > does it need a word list?
>
> Presumably it is a useful tool as part of a security professional's
> penetration testing toolbox?
Testing for these sorts of issues is almost certainly best done from
the other side by examining configurations of "hidden but not password
protected directories" instead of trying to brute force them with
results limited by your wordlist and patience.
That said, it's not like there's anything in this piece of software
that is more than generating a set of urls and shoving them at HEAD or
curl or similar and trapping the results, so it seems kind of trivial
and ripe for an inclusion in a larger collection of penetration
testing tools unless it has a particular novel method of generating a
wordlist.
It'd also be best if this package didn't refer to invented terminology
like "forced browsing" and instead said what it actually does (return
the subset of HEAD requests that return 200 from a generated
wordlist).
Don Armstrong
--
But if, after all, we are on the wrong track, what then? Only
dissapointed human hopes, nothing more. And even if we perish, what
will it matter in the endless cycles of eternity?
-- Fridtjof Nansen _Farthest North_ p152
http://www.donarmstrong.com http://rzlab.ucr.edu
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Mon, Feb 23, 2009 at 01:06:38PM +0100, Bjørn Mork wrote:
> Noah Slater <nslater@tumbolia.org> writes:
> > On Sun, Feb 22, 2009 at 05:18:39PM -0800, Asheesh Laroia wrote:
> >> I think that the description explains that the purpose is to find hidden
> >> directories on web servers, presumably either your own or other people's.
> >
> > Why would you need to find directories on your own server?
>
> Why would you need to buy a gadget like http://www.keyringer.com/ ?
Because you can loose your keys.
How can you loose a directory on a machine you have access to?
--
Noah Slater, http://tumbolia.org/nslater
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote:
> But what (besides web crawling) is the (legal) purpose of
> that? And why does it need a word list?
It seems to me that this tool is as open to abuse as nmap,
ping, wget, and several other apps we distribute.
On Dienstag, 24. Februar 2009, Ron Johnson wrote:
> The apps you specify have obvious non-abusive uses. What (besides
> penetration testing) are such uses for w3bfukk0r?
penetration testing is a useful use. you might even do it for others.
> (As Noah Slater pointed out, it's hard to lose a directory on your
> own machine...)
Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)
