search

intruxxer / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Sub-domain Discovery Feature #562

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I'd like ZAP to be able to discover common sub-domains of the targeted site.

Maybe not like a in-depth brute force scan but to check out common domains such 
as mobile.target, m.target that tend to be forgotten when pen-testing and be 
more buggy.

Original issue reported on code.google.com by gr...@buguroo.com on 14 Mar 2013 at 8:52

GoogleCodeExporter commented 9 years ago 
This could also check for http versions of https sites, which would be very 
handy :)

Original comment by psii...@gmail.com on 14 Mar 2013 at 8:58

GoogleCodeExporter commented 9 years ago 
I like this idea, however, I think it would be prudent to ensure that such a 
feature is not on by default (or only does look-ups and not trigger any active 
testing without explicit interaction/direction).

Often there are very specific in-scope and out-of-scope things for VA or 
PenTest projects. Simply identifying things via DNS or other public info isn't 
a big deal but it could be a big deal to test a sub-domain which isn't actually 
in-scope of a contract etc.

So even if "target" is in-scope that doesn't necessarily mean that 
mobile.target, m.target, or target.mobi, etc are.

The original request might be facilitated by integration with a tool such as 
Fierce Domain Scan (http://ha.ckers.org/fierce/).

If you're going to build something new to accomplish this then I suggest:

1) Try a zone transfer (obvious).
2) Do forward and reverse look-ups (names to IPs and IPs back to names 
sometimes gives you different details).
3) Try brute forcing with a list, similar to Forced Browsing (provide default 
lists but also allow custom lists). There is a Netcraft survey which provides a 
list of top 100 Internet Host Names (the original source nw.com now redirects 
elsewhere however a copy of the original is available via the 'way back 
machine' 
http://web.archive.org/web/20090305043104/http://nw.com/zone/WWW/firstnames.html
).
4) Do look-ups via various online IP or Domain neighbor tools. (Only look-ups, 
don't want to test something we shouldn't.)

Original comment by kingtho...@gmail.com on 14 Mar 2013 at 2:24

GoogleCodeExporter commented 9 years ago 
The following might be of interest to whoever tackles this:

https://code.google.com/p/jsmbscanner/source/browse/

http://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html

Tagging as IdealFirstBug, now that Psiinon has (or is about to) publish an 
intro to writing extensions it "should" be fairly easy for someone to add at 
least some of this functionality.

Original comment by kingtho...@gmail.com on 13 Jul 2014 at 8:58

GoogleCodeExporter commented 9 years ago 
psiinon I'm going to break off your request to check http access for https 
content as an active scan plugin.

Original comment by kingtho...@gmail.com on 7 Aug 2014 at 11:28

GoogleCodeExporter commented 9 years ago 
Per previous comment see issue 1295.

Original comment by kingtho...@gmail.com on 7 Aug 2014 at 11:30

GoogleCodeExporter commented 9 years ago

Original comment by psii...@gmail.com on 3 Dec 2014 at 4:37

GoogleCodeExporter commented 9 years ago

Original comment by dan.mart...@gmail.com on 4 Dec 2014 at 8:21