[Owasp-testing] off topic? Web application discovery

Matteo Meucci matteo.meucci at gmail.com
Wed Oct 18 10:39:24 EDT 2006


That's fine.
We can add a new "4.2.1 Application Discovery"...before spindering and googling.
What do you think?

Mat



On 10/18/06, Mauro Bregolin <mauro.bregolin at gmail.com> wrote:
>
>
>
>
> Don't know if you agree to include the following stuff in the testing guide
> or not... I'd say it fits into 4.2.x
>
>
>
> The following considerations apply to black box testing.
>
>
>
> With the proliferation of virtual web servers, the traditional 1:1-type
> relationship between an IP address and a web server is loosing much of its
> original significance. It is not uncommon to have multiple web sites /
> applications whose symbolic names resolve to the same IP (and this scenario
> is not limited to hosting environments, but applies to ordinary corporate
> environments as well).
>
> Sometimes you are given a bunch of IP addresses (maybe just one...) to test.
> No other knowledge. You may argue this is more of a pentest-type engagement,
> but in my experience it is not that infrequent, and if you stumble on a
> webapp, you test it, right? Problem is, the IP address they gave you hosts
> an http service on port 80, but if you access it specifying the IP address
> (which is all you know) it reports "No web server configured at this
> address" or a similar message. But that box could "hide" a bunch of webapps,
> associated to unrelated symbolic (DNS) names. Obviously the extent of your
> analysis is deeply affected by the fact that you test the applications, or
> you do not - because you don't notice them, or you notice only SOME of them.
>
> Again, in my experience sometimes clients refuse to give more information in
> addition to IP addresses, or they provide incomplete name lists (!) so it is
> worth to do a discovery.
>
>
>
> Determining black-box which virtual servers reside on the same IP is not a
> trivial task, and in general has not a complete solution.
>
> I have compiled a list of services on the web which may be used to help into
> this sort of reverse queries (some of them do DNS name searching, which is
> equally important: given a domain name, find which symbolic names are
> defined - in absence of zone transfers, obviously). Of course contributions
> are welcome. These services tend to return different results (because are
> often partial results), so it's better to try many of them for "better
> coverage".
>
>
>
> netcraft search DNS: http://searchdns.netcraft.com/?host
>
> Domain tools reverse IP:
> http://www.domaintools.com/reverse-ip/ (requires free
> membership)
>
> msn search: search.msn.com, syntax: "ip:x.x.x.x" (without the quotes)
>
> webhosting info: http://whois.webhosting.info/,
> http://whois.webhosting.info/x.x.x.x (reverse IP)
>
> DNSstuff: http://www.dnsstuff.com/ (multiple services)
>
> http://net-square.com/msnpawn/index.shtml (multiple queries
> on domains and IP addresses, must be installed)
>
> tomDNS: http://www.tomdns.net/ (some services still private)
>
> SEOlogs.com http://www.seologs.com/ip-domains.html (reverse
> ip/domain lookup)
>
>
>
>
>
> To sum it up: Technically it's not web app assessment, but often may be a
> prerequisite. In my opinion, it naturally fits into the Information
> Gathering phase.
>
>
>
> cheers,
>
>
>
> Mauro
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide



More information about the Owasp-testing mailing list