james fisher dirbuster project lead dirbuster@sittinglittleduckc com n.
Skip this Video
Loading SlideShow in 5 Seconds..
OWASP DirBuster - Training PowerPoint Presentation
Download Presentation
OWASP DirBuster - Training

Loading in 2 Seconds...

play fullscreen
1 / 14

OWASP DirBuster - Training - PowerPoint PPT Presentation

  • Uploaded on

James Fisher DirBuster Project Lead dirbuster@sittinglittleduckc.com. OWASP DirBuster - Training. May 2010. Introductions – Who Am I. Name: James Fisher Contact: dirbuster@sittinglittleduck.com OWASP Role: DirBuster Project Lead

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'OWASP DirBuster - Training' - nat

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
james fisher dirbuster project lead dirbuster@sittinglittleduckc com
James Fisher

DirBuster Project Lead


OWASP DirBuster - Training

May 2010

introductions who am i
Introductions – Who Am I

Name: James Fisher

Contact: dirbuster@sittinglittleduck.com

OWASP Role: DirBuster Project Lead

Day Job: Senior Security Consultant @ Portcullis Computer Security Ltd

Time In Computer Security: 7+ Years

what is dirbuster
What is DirBuster?

A web application file and directory brute forcer

Designed to find hidden and unlinked content

Uses custom lists to do this

Both GUI and limited command line

features overview
Features Overview

Multi threaded has been recorded at over 6000 requests/sec

Works over both http and https

Scan for both directory and files

Will recursively scan deeper into directories it finds

Able to perform a list based or pure brute force scan

Custom HTTP headers can be added

Proxy support

Auto switching between HEAD and GET requests

Content analysis mode when failed attempts come back as 200

Performance can be adjusted while the program in running

Supports Basic, Digest and NTLM auth

Default file scanning with Nikto database

when to use dirbuster
When to use DirBuster

Black Box Application Assessment

Unidentified web servers during network assessments

For very crude stress testing

the lists
The Lists

Custom lists generated by finding what developers actually use

How? Spider the internet

The lists are then ordered by frequency

DirBuster comes with 8 separate lists

explicit words
Explicit Words

This may surprise you, there is porn on the internet

The spider visited a few

Is the inclusion of explicit words a problem?

If such words are present on commercial websites I am 100% sure they would wish to know!

when a 404 is not a 404
When a 404 is not a 404!

Detecting 404 is not as simple as it appears!

404's that are returned as 200's



Directories that return 403 for everything

Web servers that return different error pages based on extension

when a 404 is not a 4041
When a 404 is not a 404!

Trying to solve this problem

Base case for each dir and file ext

200's are normalised

If all else fails – regex

It's not perfect, but it's flexible enough to get results 99% of the time


DirBuster is an offensive tool

Helps finds new attack vectors

Lots of features to help get accurate results