Hosting Provided By

RE: Website "Scanner"

From: Brass, Phil (ISS Atlanta) <PBrass(at)iss.net>
Date: Fri Jan 10 2003 - 12:07:18 EST

I disagree with "increase exponentially".

Let's say you have a list of file name substitutions to try. Maybe something like
#replace existing extension

s/\.[^.]+$/.bak/
s/\.[^.]+$/.bkup/
s/\.[^.]+$/.old/
s/\.[^.]+$/.zip/

#intermediate extension

s/\.([^.]+)$/.bak.\1/
s/\.([^.]+)$/.bkup.\1/
s/\.([^.]+)$/.old.\1/

#add to original extension

s/$/.bak/
s/$/.bkup/
s/$/.old/
s/$/.zip/

#prepend possible backup directory names

s/^/\/bkup/
s/^/\/backup/
s/^/\/old/
s/^/\/save/

And so on. If I have a spider, I am going to be making, for this list, 15 requests extra for each file I find. This is hardly an exponential increase. It is a factor of 15 increase. Furthermore, I can probably use HEAD or a 1-byte byte-range to keep the responses pretty small, so I'm consuming even as much bandwidth as the original page, and it probably would average out to about the same as requesting each page twice in terms of bytes received.

I find, from reviewing several web server directory listings, there there very often seems to be one or two files like this, and if they are script files and the extension is at the end, a source disclosure vulnerability results.

The other point is, even if it was an exponential time increase, there are some circumstances (when nothing else has worked for example) where I basically have all the time in the world (or until the testing window closes anyway). It's better to have a script banging it's head against the wall for you for a week than it is to give up and say "Welp, must not be vulnerable then".

Do you need help?

Phil

> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com]
> Sent: Thursday, January 09, 2003 7:57 AM
> To: sullo@cirt.net
Received on Fri Jan 10 12:16:41 2003

This message: [ Message body ]
Next message: Zed A.Shaw: "Re: Web single sign-on"
Previous message: glyn(at)corsaire.com: "RE: Website "Scanner""
Maybe in reply to: backed.up.by.2048.bit.encryption(at)hushmail.com: "Website "Scanner""
In reply to Javier Fernandez-Sanguino: "Re: Website "Scanner""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT