Showing posts with label directory traversal. Show all posts

Wednesday, September 17, 2014

DotDotPwn on GitHub and in the OWASP Testing Guide v4.0

It's an honour to be listed in the latest release of the OWASP Testing Guide 4.0 as one of the tools to test Web applications against the Path Traversal vulnerability . In other ~~(削除) old (削除ここまで)~~ news, DotDotPwn was included in Kali Linux and BlackArch Linux (an Arch-based distro for pentesters & researchers).

Since time ago, Eldar '@Wireghoul' Marcussen (http://www.justanotherhacker.com), has been supporting this project a lot by adding new functionalities and payloads as well as fixing some bugs. THANKS !!!

That said, we strongly recommend to download and use the latest enhanced DotDotPwn ~~(削除) on steroids (削除ここまで)~~ from his github repositoryat:

https://github.com/wireghoul/dotdotpwn

For the desperate:
$ git clone https://github.com/wireghoul/dotdotpwn.git
$ cd dotdotpwn
$ ./dotdotpwn.pl

Happy ../../../Path/../Traversal/../Fuzzing !
Ch33rs ! B-]

at 5:00 PM

Labels: appsec, chr1x, cybersec, development, directory traversal, dotdotpwn, fuzzer, fuzzing, github, hacking, infosec, mexico, nitr0us, OWASP, path traversal, programming, security, software, web, wireghoul

Wednesday, March 27, 2013

New Contributions to DotDotPwn !

We're happy to announce these two great contributions to DotDotPwn - The Traversal Directory Fuzzer.

The 1st one was from Eldar 'Wireghoul' Marcussen (http://www.justanotherhacker.com), who added support for SSL, zlib compression and removed the HTTP::Lite dependancy.
You can get a copy from:

https://github.com/wireghoul/dotdotpwn

Today, 27/03/13, we received another contribution from Bryan Alexander (http://forelsec.blogspot.com), who added the -C feature to continue the fuzzing process instead of die() in case of the Web server doesn't respond any request.
You can get a copy from (it also includes the SSL feature by Wireghoul):

https://github.com/hatRiot/dotdotpwn

Thanks a lot for the support guys !

Happy ../../../directory/traversal/ Fuzzing

Cheers ! B-)

at 11:41 AM

Labels: application, chr1x, development, directory traversal, dotdotpwn, fuzzing, hacker, hacking, mexico, nitr0us, security, software, ssl, testing, traversal

Friday, February 3, 2012

NEW RELEASE: DotDotPwn v3.0

We are pleased to present the new version of our Directory Traversal fuzzer!

DotDotPwn v3.0

Version: DotDotPwn v3.0
Release date: 03/Feb/2012 (Release at BugCon Security Conferences 2012)

Changes / Enhancements / Features:

-X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. - http://en.wikipedia.org/wiki/Bisection_method
-M switch to specify another method different from the default (GET) when the http module is used.
Other HTTP methods are [POST | HEAD | COPY | MOVE]
-e switch to specify the file extension to be appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
New dots & slashes encodings (fuzz patterns) based on: https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode and http://wikisecure.net/security/uri-encoding-to-bypass-idsips

Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT

Feel free to download this new release from the following sites: