1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP DirBuster - Training James Fisher DirBuster Project Lead dirbuster@sittinglittleduckc.com May 2010

2. OWASP 2 Introductions – Who Am I Name: James Fisher Contact: dirbuster@sittinglittleduck.com OWASP Role: DirBuster Project Lead Day Job: Senior Security Consultant @ Portcullis Computer Security Ltd Time In Computer Security: 7+ Years

3. OWASP 3 What's To Come?

4. OWASP 4 What is DirBuster?  A web application file and directory brute forcer  Designed to find hidden and unlinked content  Uses custom lists to do this  Both GUI and limited command line

5. OWASP 5 Features Overview  Multi threaded has been recorded at over 6000 requests/sec  Works over both http and https  Scan for both directory and files  Will recursively scan deeper into directories it finds  Able to perform a list based or pure brute force scan  Custom HTTP headers can be added  Proxy support  Auto switching between HEAD and GET requests  Content analysis mode when failed attempts come back as 200  Performance can be adjusted while the program in running  Supports Basic, Digest and NTLM auth  Default file scanning with Nikto database

6. OWASP 6 When to use DirBuster  Black Box Application Assessment  Unidentified web servers during network assessments  For very crude stress testing

7. OWASP 7 What vulnerabilities does it detect? None!

8. OWASP 8 The Lists  Custom lists generated by finding what developers actually use  How? Spider the internet  The lists are then ordered by frequency  DirBuster comes with 8 separate lists

9. OWASP 9 Explicit Words  This may surprise you, there is porn on the internet  The spider visited a few  Is the inclusion of explicit words a problem?  If such words are present on commercial websites I am 100% sure they would wish to know!

10. OWASP 10 When a 404 is not a 404!  Detecting 404 is not as simple as it appears!  404's that are returned as 200's  Static  Dynamic  Directories that return 403 for everything  Web servers that return different error pages based on extension

11. OWASP 11 When a 404 is not a 404!  Trying to solve this problem  Base case for each dir and file ext  200's are normalised  If all else fails – regex  It's not perfect, but it's flexible enough to get results 99% of the time

12. OWASP 12 Demo

13. OWASP 13 Summary  DirBuster is an offensive tool  Helps finds new attack vectors  Lots of features to help get accurate results

14. OWASP 14 Questions?