WebApp Sec: RE: webapp dependencies

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

RE: webapp dependencies

From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 20 Apr 2005 08:26:49 +0200

On 19 Apr 2005 at 23:21, Matt Fisher wrote:


  I'd really be interested in hearing about it if anyone finds a good
tool / technique but at this point I really don't see how it could be
sufficiently performed from any client sided product such as crawlers,
scanners, accessibility testers etc.


I'd take quite a different approach. At runtim, attach to the web 
process at a low level (kernel?), e.g. strace, and log access to 
files. Then use a crawler to enumerate (to the extent possible) all 
flows through the app. This should give you the list of files 
accessed by the web server process (there are many detailed to be 
ironed out, such as server caching, spawning new proceses, etc. but I 
believe it's doable).

In the above example, once you make a hit on the page.asp, strace 
would first show the web process to read page.asp, and immediately 
thereafter page1.html.

-Amit

By Date By Thread

Current thread:

Re: webapp dependencies, (continued)
- Re: webapp dependencies Scovetta Labs (Apr 13)
  - Re: webapp dependencies victor calzado (Apr 14)
- RE: webapp dependencies Ory Segal (Apr 14)
- Re: webapp dependencies moty yacov (Apr 18)
- RE: webapp dependencies Matt Fisher (Apr 20)
  - RE: webapp dependencies Amit Klein (AKsecurity) (Apr 20)
- RE: webapp dependencies Ory Segal (Apr 20)
  - RE: webapp dependencies Amit Klein (AKsecurity) (Apr 21)
- RE: webapp dependencies Matt Fisher (Apr 20)
- RE: webapp dependencies Ryan C. Barnett (Apr 20)
- RE: webapp dependencies Scovetta, Michael V (Apr 21)