[Owasp-leaders] Pentesting: Is there a collection of REs for HTTP response analysis?

Ryan Barnett ryan.barnett at breach.com
Fri Nov 20 13:06:58 EST 2009


On Friday 20 November 2009 11:15:09 am Andrew Petukhov wrote:
> Leaders,
> does any one know, if there is a database of regular expression for
> testing HTTP responses while doing a pentest?
> 
> Let me outline the problem (in a simplistic way):
> - a black-box scanner can detect successful XSS by noticing the code it
> had injected in subsequent pages;
> - a black-box scanner can detect SQLI blindly;
> - other possible manifestations of an exploited vulnerability are 5xx
> codes and error mesages.
> 
> I know only about ModSecurity Core Rule Set. It can be used to detect
> error messages.
> 
> Does anyone know other sources?
> 
> Thanks in advance!
> 
> Andrew Petukhov,
> Moscow State University

Check out the GREP section of W3AF - http://w3af.sourceforge.net/plugin-
descriptions.php#grep

You can use these same regexs to check the http response for apps you are 
testing.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com


More information about the OWASP-Leaders mailing list