I need some clarification of your environment to properly be of help...
Is the application not using https?
If not just sit a client on the same subnet and watch normal traffic to
the webserver with a tool like ethereal or etherpeek... your client
will soon see that there are plenty of ways to skin a cat...
It's all about networking after all...
njoy the looks on their faces.
Sean Swayze
swayze AT pcsage DOT biz
On 7-Jan-05, at 11:35 AM, Lists wrote:
> Hi Everyone,
>
> I am auditing a system where files are stored on a web server and
> accessed without authentication directly by an application that knows
> each file URL. I don't like it but the app owner wants me to
> demonstrate that someone could guess the URLs. I have tried a number
> of spider tools but they are based on links so they don't pull up
> anything.
>
> I am wondering if there is a tool or another method where I could find
> out all the URLs on the web site. The funny thing is I saw this same
> kind of system with the same explanation just the other week at
> another company. Maybe its a new trend...
>
> Regards,
> sakaba
>
Received on Jan 10 2005
Intro
