[Owasp-testing] off topic? Web application discovery

Mauro Bregolin mauro.bregolin at gmail.com
Wed Oct 18 10:23:41 EDT 2006

Don't know if you agree to include the following stuff in the testing guide
or not... I'd say it fits into 4.2.x


The following considerations apply to black box testing.


With the proliferation of virtual web servers, the traditional 1:1-type
relationship between an IP address and a web server is loosing much of its
original significance. It is not uncommon to have multiple web sites /
applications whose symbolic names resolve to the same IP (and this scenario
is not limited to hosting environments, but applies to ordinary corporate
environments as well).

Sometimes you are given a bunch of IP addresses (maybe just one...) to test.
No other knowledge. You may argue this is more of a pentest-type engagement,
but in my experience it is not that infrequent, and if you stumble on a
webapp, you test it, right? Problem is, the IP address they gave you hosts
an http service on port 80, but if you access it specifying the IP address
(which is all you know) it reports "No web server configured at this
address" or a similar message. But that box could "hide" a bunch of webapps,
associated to unrelated symbolic (DNS) names. Obviously the extent of your
analysis is deeply affected by the fact that you test the applications, or
you do not - because you don't notice them, or you notice only SOME of them.

Again, in my experience sometimes clients refuse to give more information in
addition to IP addresses, or they provide incomplete name lists (!) so it is
worth to do a discovery.


Determining black-box which virtual servers reside on the same IP is not a
trivial task, and in general has not a complete solution.

I have compiled a list of services on the web which may be used to help into
this sort of reverse queries (some of them do DNS name searching, which is
equally important: given a domain name, find which symbolic names are
defined - in absence of zone transfers, obviously). Of course contributions
are welcome. These services tend to return different results (because are
often partial results), so it's better to try many of them for "better


netcraft search DNS: http://searchdns.netcraft.com/?host

Domain tools reverse IP: http://www.domaintools.com/reverse-ip/ (requires
free membership)

msn search: search.msn.com, syntax: "ip:x.x.x.x" (without the quotes)

webhosting info: http://whois.webhosting.info/,
http://whois.webhosting.info/x.x.x.x (reverse IP)

DNSstuff: http://www.dnsstuff.com/ (multiple services)

http://net-square.com/msnpawn/index.shtml (multiple queries on domains and
IP addresses, must be installed)

tomDNS: http://www.tomdns.net/ (some services still private)

SEOlogs.com http://www.seologs.com/ip-domains.html (reverse ip/domain



To sum it up: Technically it's not web app assessment, but often may be a
prerequisite. In my opinion, it naturally fits into the Information
Gathering phase.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061018/a5aa29da/attachment-0002.html 

More information about the Owasp-testing mailing list