Sensepost just released
Wikto 1.6, an advanced Web Assessment Tool (or web hacking tool if you prefer it that way) that uses
Nikto db,
Google Hack DB and "fuzzy metric" to find vulnerabilities and penetrate into web applications. It also uses
Net-Square's httprint for web server fingerprinting and
httptrack for offline mirroring.
One of the best thing about Wikto is directory and file discovery technique. The technique is called "fuzzy metric" in which responses to a request is compared against a database of similar requests and a calculation is performed. The result of the calculation will determine wether a file or directory exists. For example, the following query is sent:
http://mel.icious.net/foobar.pl - this will return a 404 and the result will be given a value, say 0.75.
Subsequent queries are then sent, for example:
http://mel.icious.net/admin (score: 0.75)
http://mel.icious.net/test (score: 0.75)
http://mel.icious.net/backup (score: 1.27)
For the first two, we know that the directories do no exist because the values are similar with the inital query - however, querying for backup gives a different value, and this is something interesting.
The are also a lot of other features of Wikto - I have yet to tried it out since I don't have a Windows box handy and I don't have enough mono/C# skills to compile the source code yet.
Charl gave a very interesting presentation about web security assessment which includes an introduction to Wikto at
Bellua BCS 2005, and I think that his presentation was the best in the technical track. And he's a nice fella too. He helped us with the CtF setup in Jakarta. You can find his presentation
here (PDF, 36MB).
