Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
App Scanners
Posted by: sjensen
Date: November 02, 2006 08:28PM

Is anyone aware of any web app scanning tools that can either scan protected areas (without supplying credentials) or run brute force attacks against these areas to gain access.

I'm asking this because my company has stated that our sites are immune to web scanning, because all applications require an individual to login first prior to accessing any "sensitive" information. And they say, application scanners, can't create a layout of the website structure with this type of protection in place.

any feedback is appreciated.

Options: ReplyQuote
Re: App Scanners
Posted by: rsnake
Date: November 02, 2006 10:39PM

Actually, to my knowledge that was the very first form of application scanning out there. It was stuff like wwwhack and then much later whisker. Are you looking for basic auth brute forcers or something different?

One of my major issues with all brute force scripts is that they don't take into account password policies. If I had more time on my hands I'd write a better one.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: App Scanners
Posted by: sjensen
Date: November 03, 2006 11:55AM

Basically, anything that could run a brute force or dictionary attack against forms authentication or Basic Auth.

I know Paros can't scan a "password" protected area without having those credentials supplied first. However, I'm not sure about other products, such as WebInspect, Acunetix, etc... password policies would be the biggest hurdle.



Edited 2 time(s). Last edit at 11/03/2006 11:56AM by sjensen.

Options: ReplyQuote
Re: App Scanners
Posted by: rsnake
Date: November 03, 2006 01:16PM

I haven't played much with the commerical stuff (I'm on a budget). But you could always try the open sourced stuff: http://www.hoobie.net/brutus/brutus-download.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: App Scanners
Posted by: id
Date: November 03, 2006 02:10PM

hydra from http://thc.org can bruteforce lots of different login types, you can probably use the web form attack module.

-id

Options: ReplyQuote
Re: App Scanners
Posted by: rsnake
Date: November 03, 2006 04:44PM

Is that how you haX your grandmother porn? Sicko.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.