Re: Website "Scanner"

Well,

That sounds you're not doing something legal with it. If you are the owner of the server/system, just dir or list them. Another hint is that if the administrator has disabled the Index option, its probably because you can't do it (legally speaking).

• Nelson
  • Original Message ----- From: <backed.up.by.2048.bit.encryption@hushmail.com> To: <sullo@cirt.net> Cc: <webappsec@securityfocus.com>; <vuln-dev@securityfocus.com> Sent: Wednesday, January 08, 2003 3:22 PM Subject: Re: Website "Scanner"

>
> -----BEGIN PGP SIGNED MESSAGE-----
rather trying to intelligently "guess" what else is in that directory. Either through dictionary use or other use. For example the following is publicly accessible:
>
> http://www.microsoft.com/new_products/bigwinner2003.html
the words "big" "winner" "2003" and let our dictionary spin:
>
> biggerwinner2003.html - nothing
publicly, we try to guess the names of whatever else might be in that directory.
>
> You can do this manually with small time sites and obvious file names e.g.
index1.html...index2.html etc. Even annualreport2002.html is visible, try annualreport.2003.html
>
> You can guess and hit on files that are not intended for public
consumption.
>
> If it can be automated with user input for obvious keywords, you probably
could strike many interesting and sensitive files in the directory.
>
> -----BEGIN PGP SIGNATURE-----
Received on Thu Jan 9 08:45:01 2003