[Owasp-testing] Tool for identification application entry points

Pavol Luptak pavol.luptak at nethemba.com
Sat Dec 13 14:38:25 EST 2008


Hi guys,
regarding the phase "Testing: Identify application entry points (OWASP-IG-003)"
http://www.owasp.org/index.php/Testing:_Identify_application_entry_points_(OWASP-IG-003)

do you know some fully automated tools that are able to identify application
entry points of all GETs and its parameters, all POSTs and its parameters and
provide the following simple output:

GET: example1.php (par1, par2, par3)
POST: example2.asp (par3, par4)
POST: example3.phtml (par5, par6)

I used Paros, but it has a problem with spidering .NET application where 
every POST is sent with a unique hashed VIEW_STATE checksum.

From Burp suite spider "show results" it is not clear if a given URL is GET
or POST and there is no "export" option to the above-mentioned output.

Webscarab provides only very comprehensive output (all HTTP requests, methods,
hosts, path and its parameters), I just need the summary of all names of all 
used scripts, its method (GET/POST) and its parameters.

I expect really trivial functionality, because for a complex web with 
thousand scripts and parameters I can't do it manually.

Thanks a lot,

Pavol
-- 
______________________________________________________________________________
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/owasp-testing/attachments/20081213/c0254b36/attachment.bin 


More information about the Owasp-testing mailing list