On Mon, 23 Feb 2009, Paul Wise wrote: > On Mon, Feb 23, 2009 at 10:27 AM, Ron Johnson <ron.l.john...@cox.net> wrote: > > But what (besides web crawling) is the (legal) purpose of that? And why > > does it need a word list? > > Presumably it is a useful tool as part of a security professional's > penetration testing toolbox?
Testing for these sorts of issues is almost certainly best done from the other side by examining configurations of "hidden but not password protected directories" instead of trying to brute force them with results limited by your wordlist and patience. That said, it's not like there's anything in this piece of software that is more than generating a set of urls and shoving them at HEAD or curl or similar and trapping the results, so it seems kind of trivial and ripe for an inclusion in a larger collection of penetration testing tools unless it has a particular novel method of generating a wordlist. It'd also be best if this package didn't refer to invented terminology like "forced browsing" and instead said what it actually does (return the subset of HEAD requests that return 200 from a generated wordlist). Don Armstrong -- But if, after all, we are on the wrong track, what then? Only dissapointed human hopes, nothing more. And even if we perish, what will it matter in the endless cycles of eternity? -- Fridtjof Nansen _Farthest North_ p152 http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org