Wednesday, July 9, 2008

Penetration testing tools - DirBuster

| Armando Romeo |
I decided to take a break from giving my two cents about the hot topics in the security industry and write some posts about the best tools for a web application penetration tester.

The selected tools are the ones I personally use every day and know better.
Comments are welcome on alternatives available in the open source area since I'm not going through commercial tools.

The tools order will follow the natural order of use: Information gathering tools, Proxy tools (for manual exploration/exploitation), Attacking tools.

Among the information gathering tools DirBuster is one of the most effective (surprising sometimes) when trying to widen the attacking surface.

A penetration tester must ensure, before any attacking attempt, to have the widest "sight" of the application and find out all the hidden features that the developer may have left somewhere in the web site root.
This is just the purpose of DirBuster.

The difference between a simple spider and DirBuster is that DirBuster sees what a spider can't !

DirBuster is an OWASP project aimed at discovering all those directories or files that a spider/crawler is not able to pick. It works using a wordlist of different sizes to check the existence of such files or as a fuzzer/brute forcer.

Web application developers tend to give common names to files or folders meant to be hidden relying on the fact that these files or folders are not linked and as such hidden from crawlers.

Wrong developers! Never play security by obscurity!

Folders like /admin, /administrator or /private and similar are included in the directory names lists provided with the tool.
In my personal experience the use of just the small directory names lists will discover a lot of interesting stuff while using the fuzzer you can exploit business logic flaws as well.

Another nice usage of this tool is when you encounter a password protected folder. In one of my recent penetration testing efforts I had a password protected /admin directory. The use of DirBuster fuzzer found out the existence of a bunch of files, in that directory, not being protected (the loggedin status hence the session var was not checked) and as such freely available without bruteforcing the authentication

The fuzzer sometimes hangs, the project is still in beta. I hope they can improve it because it is essential and very easy to use.
As an altearnative to path fuzzer/brute forcer I use webscarab or webshag.

DirBuster addons are:

- capability of using custom headers (you can use your own cookie)
- capability of using a proxy
- adding new HTML elemtns to extract links from

This is one of the first tool I fire up when starting a new job. It's extremely useful, lightweight and surprising!

Next time: Nikto/Wikto

Free Security Magazines