The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Vulnerabilities may exist at the web server layer that enable you to discover

content and functionality that is not linked within the web application itself.

For example, there have been numerous bugs within web server software that

allow an attacker to list the contents of directories, or obtain the raw source for

dynamic server-executable pages. See Chapter 17 for some examples of these

vulnerabilities, and ways in which you can identify them. If such a bug exists,

you may be able to exploit it to directly obtain a listing of all pages and other

resources within the application.

Many web servers ship with default content that may assist you in attacking

them — for example, sample and diagnostic scripts that may contain known

vulnerabilities, or contain functionality that may be leveraged for some mali-

cious purpose. Further, many web applications incorporate common third-

party components that they use for various standard functions — for example,

scripts to implement a shopping cart or interface to email servers. Nikto is a

handy tool that issues requests for a wide range of default web server content,

third-party application components, and common directory names. While

Nikto will not rigorously test for any hidden bespoke functionality, it can often

be useful in discovering other resources that are not linked within the applica-

tion and that may be of interest in formulating an attack:

manicsprout@king nikto-1.35]# perl nikto.pl

-----------------------------------------------------------------------

- Nikto 1.34/1.29     -     www.cirt.net

+ Target IP:       127.0.0.1

+ Target Hostname: localhost

+ Target Port:     80

+ Start Time:      Sat Feb  3 12:03:36 2007

-----------------------------------------------------------------------

- Scan is dependent on “Server” string which can be faked, use -g to

override

- Server did not understand HTTP 1.1, switching to HTTP 1.0

+ /bin/ - This might be interesting... (GET)

+ /client/ - This might be interesting... (GET)

+ /oracle - Redirects to /oracle/ , This might be interesting...

+ /temp/ - This might be interesting... (GET)

+ /cgi-bin/login.pl - This might be interesting... (GET)

+ 3198 items checked - 6 item(s) found on remote host(s)

+ End Time:        Sat Feb  3 12:03:55 2007 (19 seconds)

-----------------------------------------------------------------------

+ 1 host(s) tested