So, just a quick note. monstream00 has just released a buby script that takes nmap results and throws that into burp suite and then spiders those sites.
Check out his work over at his blog: http://monstream00.wordpress.com/2012/01/06/import-nmap-to-burp/
Good stuff and another example for anyone out there learning the ropes with buby.
I’ve been following the progress of the Web Exploitation Framework (wXf) for a while. It’s a cool idea with a ton of potential.
Recently cktricky has been putting out some great tutorials on using buby to extend and interact with Burp through wXf. The posts illustrate some of the flexibility of buby and just how easy it can be to integrate with wXf. I wanted to give it a try and thought I’d put a new spin on an old idea.
So, I went about implementing a custom wordlist creation module that would utilize the response data from the proxy history to pull words out of h1-h5, p, span, and title tags.
There are tools that produce a similar result, however they usually require that the tool spider the site. Spidering is far from perfect and when I’m assessing a web application I make a point of clicking every link and discovering every page manually. Why not use the information I already have?
The user can specify a minimum word length and gets output sorted and uniqued. Find the latest module here.
There’s nothing too fancy here, but I it might be useful. Git pull the wXf, play with buby, write some modules and have fun!
Check out the buby posts over at Attack Research Blog.
