1 / 14

OWASP DirBuster - Training

James Fisher DirBuster Project Lead dirbuster@sittinglittleduckc.com. OWASP DirBuster - Training. May 2010. Introductions – Who Am I. Name: James Fisher Contact: dirbuster@sittinglittleduck.com OWASP Role: DirBuster Project Lead

nat
Download Presentation

OWASP DirBuster - Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. James Fisher DirBuster Project Lead dirbuster@sittinglittleduckc.com OWASP DirBuster - Training May 2010

  2. Introductions – Who Am I Name: James Fisher Contact: dirbuster@sittinglittleduck.com OWASP Role: DirBuster Project Lead Day Job: Senior Security Consultant @ Portcullis Computer Security Ltd Time In Computer Security: 7+ Years

  3. What's To Come?

  4. What is DirBuster? A web application file and directory brute forcer Designed to find hidden and unlinked content Uses custom lists to do this Both GUI and limited command line

  5. Features Overview Multi threaded has been recorded at over 6000 requests/sec Works over both http and https Scan for both directory and files Will recursively scan deeper into directories it finds Able to perform a list based or pure brute force scan Custom HTTP headers can be added Proxy support Auto switching between HEAD and GET requests Content analysis mode when failed attempts come back as 200 Performance can be adjusted while the program in running Supports Basic, Digest and NTLM auth Default file scanning with Nikto database

  6. When to use DirBuster Black Box Application Assessment Unidentified web servers during network assessments For very crude stress testing

  7. What vulnerabilities does it detect? None!

  8. The Lists Custom lists generated by finding what developers actually use How? Spider the internet The lists are then ordered by frequency DirBuster comes with 8 separate lists

  9. Explicit Words This may surprise you, there is porn on the internet The spider visited a few Is the inclusion of explicit words a problem? If such words are present on commercial websites I am 100% sure they would wish to know!

  10. When a 404 is not a 404! Detecting 404 is not as simple as it appears! 404's that are returned as 200's Static Dynamic Directories that return 403 for everything Web servers that return different error pages based on extension

  11. When a 404 is not a 404! Trying to solve this problem Base case for each dir and file ext 200's are normalised If all else fails – regex It's not perfect, but it's flexible enough to get results 99% of the time

  12. Demo

  13. Summary DirBuster is an offensive tool Helps finds new attack vectors Lots of features to help get accurate results

  14. Questions?

More Related