OWASP - User contributions [en]

Talk:Ebug

2018-12-18T00:16:10Z

Mr Craig Fox: uodate

I will soon discuss some exploits for this with some PoC code.

Ebug

2018-12-17T23:04:42Z

Mr Craig Fox: typo's

== Before reading further, please watch the video tutorial [https://www.youtube.com/watch?v=eCcjRmspU2w here] ==

===== What is an ebug/email beacon? =====

An ebug is a way for an attacker to send a malicious email to a victim in order to steal information on them (such as IP address, Operating system, Browser information and more). This is done by hiding server side code within a hidden image reference of an email body. Once the victim opens the message, without needing any interaction it will send information back to the attacker and they're completely unaware of this process.

===== Scenario: =====

John doe is having an argument with Mr genius over the phone, Mr genius decides he wants to hack john and cause as much mayhem as he possibly can, but Mr Genius has no point of reference. He sends en ebug to John doe via email, he gets his WAN IP address and breaks into his machine and deletes all his data - John is gutted.

===== OK, how to create/setup an Ebug? =====

* Install [https://www.apachefriends.org/index.html XAMPP]
* Setup Apache to run on your port of choice and start it
* Open that port within the firewall on the machine the server is running on
* Port forward to that on your router
* Check that the outside world can access it across the WAN, [http://www.canyouseeme.org/ Can You See Me] is good for this
* Go to your root web directory once the server is up 'n running on it's default page, on Linux this will likely be /opt/lampp/htdocs (tip you'll need to set read/write permissions!)
* Then, get rid of the default stuff, and you want to create 4 files:

1 image.jpg

This is what the victim may see if you choose to show them an image, regardless you'll want this as a reference point, basically your exploit URL is going to be http(s)://example.com:port/image.jpg

2 .htaccess file

Here you're going to want [http://httpd.apache.org/docs/current/mod/mod_rewrite.html mod_rewrite] a simple example I've provided below is sending from test.jpg to evil.php
RewriteEngine on
RewriteRule ^/?test.jpg$ evil.php [L]

Tip: This will likely create as a hidden file, so ensure you enable the viewing of hidden files!

3 a log file

NOTE: my next example (php file) creates a log file for you.

4 evil.php

This is where all your PHP code goes, so whatever you want to do to the victim goes here. Below is an example of getting the visited page, WAN IP and user agent of the victim which creates/updates a log file for you:

See [https://pastebin.com/krpEDe7m HERE] for my php script

==== OK, i'm setup, how do I test it? ====

Now you're setup, the first and easiest way to test it's working is by visiting the image across the WAN, ie; http(s)://example.com:port/image.jpg if this works, you should get a log file each time you visit this site. If not retrace your steps and perform some troubleshooting.

==== How do I email it to my victim? ====

This can be as simple or complex as you want. But the basic principle here is you want to embed the inline image in a 1x1 pixel reference (simple, a hidden image) this loads/renders when the target opens the email. Something like:

<img src="data:image/png;base64,imagebase64data"/>

An easier way, when using a web based email platform like Gmail or OWA, you can insert an "approved" inline image, and then modify the image reference source, a quick way to do that in Firefox is to right click the image, Inspect Element (Q), and change the image URL to your own, as demonstrated in [https://www.youtube.com/watch?v=eCcjRmspU2w the video].

OK that about wraps things up, thanks for reading -[[User:Mr_Craig_Fox|Craig Fox]]

Ebug

2018-12-17T22:51:42Z

Mr Craig Fox: creation

== Before reading further, please watch the video tutorial [https://www.youtube.com/watch?v=eCcjRmspU2w here] ==

===== What is an ebug/email becon? =====

An ebug is a way for an attacker to send a malicious email to a victim in order to steal information on them (such as IP address, Operating system, Browser information and more). This is done by hiding server side code within a hidden image reference of an email body. Once the victim opens the message, without needing any interaction it will send information back to the attacker and they're completely unaware of this process.

===== Scenario: =====

John doe is having an argument with Mr genius over the phone, Mr genius decides he wants to hack john and cause as much mayhem as he possibly can, but Mr Genius has no point of reference. He sends en ebug to John doe via email, he gets his WAN IP address and breaks into his machine and deletes all his data - John is gutted.

===== OK, how to create/setup an Ebug? =====

* Install [https://www.apachefriends.org/index.html XAMPP]
* Setup Apache to run on your port of choice and start it
* Open that port within the firewall on the machine the server is running on
* Port forward to that on your router
* Check that the outside world can access it across the WAN, [http://www.canyouseeme.org/ Can You See Me] is good for this
* Go to your root web directory once the server is up 'n running on it's default page, on Linux this will likely be /opt/lampp/htdocs (tip you'll need to set read/write permissions!)
* Then, get rid of the default stuff, and you want to create 4 files:

1 image.jpg

This is what the victim may see if you choose to show them an image, regardless you'll want this as a reference point, basically your exploit URL is going to be http(s)://example.com:port/image.jpg

2 .htaccess file

Here you're going to want [http://httpd.apache.org/docs/current/mod/mod_rewrite.html mod_rewrite] a simple example I've provided below is sending from test.jpg to evil.php
RewriteEngine on
RewriteRule ^/?test.jpg$ evil.php [L]

Tip: This will likely create as a hidden file, so ensure you enable the viewing of hidden files!

3 a log file

NOTE: my next example (php file) creates a log file for you.

4 evil.php

This is where all your PHP code goes, so whatever you want to do to the victim goes here. Below is an example of getting the visited page, WAN IP and user agent of the victim which creates/updates a log file for you:

See [https://pastebin.com/krpEDe7m HERE] for my php script

==== OK, i'm setup, how do I test it? ====

Now you're setup, the first and easiest way to test it's working is by visiting the image across the WAN, ie; http(s)://example.com:port/image.jpg if this works, you should get a log file each time you visit this site. If not retrace your steps and perform some troubleshooting.

==== How do I email it to my victim? ====

This can be as simple or complex as you want. But the basic principle here is you want to embed the inline image in a 1x1 pixel reference (simple, a hidden image) this loads/renders when the target opens the email. Something like:

<img src="data:image/png;base64,imagebase64data"/>

An easier way, when using a web based email platform like Gmail or OWA, you can insert an "approved" inline image, and then modify the image reference source, a quick way to do that in Firefox is to right click the image, Inspect Element (Q), and change the image URL to your own, as demonstrated in [https://www.youtube.com/watch?v=eCcjRmspU2w the video].

OK that about wraps things up, thanks for reading -[[User:Mr_Craig_Fox|Craig Fox]]

OWASP URL Checker

2018-12-17T17:44:42Z

Mr Craig Fox: minor tweak

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP URL Checker==

Screen shot:

[[File:urlscanscreen.jpeg|link=]]

==Introduction==

An open source editable tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.

==Description==

This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database, for instance if your target is http://google.com and in the database you have /wp-login.php it would then check if: http://google.com/wp-login.php is available on that site by checking the response. It's a form of of scanning to help you exploit and find weaknesses within the web server. The first time you run the tool it will create a database "restuls.txt" for you, and add a few URL parameters to get you started. But you can add to or change the database as much as you wish and therefore, it's as powerful as you'd like it to be. It gives you real time feedback and the option to save all the successful results. You'll also be happy to know it's open source, and I've also included a win32 compiled version (requires .NET 3.5+).

==Licensing==
OWASP URL Checker is free to use. It is licensed under the GNU GPL v3 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is URL Checker? ==

OWASP URL Checker provides:

* .exe (executable) and *.cpp (source)

== Project Leader ==

[mailto:craig.fox@owasp.org Craig Fox (OWASP email)]

== Quick Download ==

[http://www.softpedia.com/dyn-postdownload.php/fe910f128856e49ea01d2e3fcb37a1bc/53a9f7bf/3c191/4/1 Softpedia Secure Download (US)]

[http://www.softpedia.com/dyn-postdownload.php/01b1561b5c70dbe4d9b4baf606d47604/53a9f7bf/3c191/5/1 Softpedia Secure Download (UK)]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

Coming soon

= Acknowledgements =

==Volunteers==
URL Checker is developed by a worldwide team of volunteers. The primary contributors to date have been:

Lead developer [https://www.owasp.org/index.php/User:Mr_Craig_Fox Craig Fox]

==Others==

TBC

= Road Map and Getting Involved =
As of June 2014, the priorities are:
*

Involvement in the development and promotion of URL Checker is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Build upon the source, ensuring it's approved, tested and original credits are maintained.
Use in testing, give feedback and distribute as much as possible
Contribute ideas and suggestions

=Project About=
{{:Projects/OWASP_URL_Checker_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP URL Checker

2018-12-17T17:28:19Z

Mr Craig Fox: removal of old site

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP URL Checker==

Screen shot:

[[File:urlscanscreen.jpeg|link=]]

==Introduction==

An open source editable tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.

==Description==

This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database, for instance if your target is http://google.com and in the database you have /wp-login.php it would then check if: http://google.com/wp-login.php is available on that site by checking the response. It's a form of of scanning to help you exploit and find weaknesses within the web server. The first time you run the tool it will create a database "restuls.txt" for you, and add a few URL parameters to get you started. But you can add to or change the database as much as you wish and therefore, it's as powerful as you'd like it to be. It gives you real time feedback and the option to save all the successful results. You'll also be happy to know it's open source, and I've also included a win32 compiled version (requires .NET 3.5+). Video tutorial here http://youtu.be/yvc4q7YWpdo

==Licensing==
OWASP URL Checker is free to use. It is licensed under the GNU GPL v3 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is URL Checker? ==

OWASP URL Checker provides:

* .exe (executable) and *.cpp (source)

== Project Leader ==

[mailto:craig.fox@owasp.org Craig Fox (OWASP email)]

== Quick Download ==

[http://www.softpedia.com/dyn-postdownload.php/fe910f128856e49ea01d2e3fcb37a1bc/53a9f7bf/3c191/4/1 Softpedia Secure Download (US)]

[http://www.softpedia.com/dyn-postdownload.php/01b1561b5c70dbe4d9b4baf606d47604/53a9f7bf/3c191/5/1 Softpedia Secure Download (UK)]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

Coming soon

= Acknowledgements =

==Volunteers==
URL Checker is developed by a worldwide team of volunteers. The primary contributors to date have been:

Lead developer [https://www.owasp.org/index.php/User:Mr_Craig_Fox Craig Fox]

==Others==

TBC

= Road Map and Getting Involved =
As of June 2014, the priorities are:
*

Involvement in the development and promotion of URL Checker is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Build upon the source, ensuring it's approved, tested and original credits are maintained.
Use in testing, give feedback and distribute as much as possible
Contribute ideas and suggestions

=Project About=
{{:Projects/OWASP_URL_Checker_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP URL Checker

2018-12-17T17:27:27Z

Mr Craig Fox: removal of invalid URL's

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP URL Checker==

Screen shot:

[[File:urlscanscreen.jpeg|link=]]

==Introduction==

An open source editable tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.

==Description==

This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database, for instance if your target is http://google.com and in the database you have /wp-login.php it would then check if: http://google.com/wp-login.php is available on that site by checking the response. It's a form of of scanning to help you exploit and find weaknesses within the web server. The first time you run the tool it will create a database "restuls.txt" for you, and add a few URL parameters to get you started. But you can add to or change the database as much as you wish and therefore, it's as powerful as you'd like it to be. It gives you real time feedback and the option to save all the successful results. You'll also be happy to know it's open source, and I've also included a win32 compiled version (requires .NET 3.5+). Video tutorial here http://youtu.be/yvc4q7YWpdo

==Licensing==
OWASP URL Checker is free to use. It is licensed under the GNU GPL v3 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is URL Checker? ==

OWASP URL Checker provides:

* .exe (executable) and *.cpp (source)

== Project Leader ==

[mailto:craig.fox@owasp.org Craig Fox (OWASP email)]

== Related Projects ==

Visit Dreamwalker software page [http://www.dreamwalker-software.com/software.html here]

== Quick Download ==

[http://www.softpedia.com/dyn-postdownload.php/fe910f128856e49ea01d2e3fcb37a1bc/53a9f7bf/3c191/4/1 Softpedia Secure Download (US)]

[http://www.softpedia.com/dyn-postdownload.php/01b1561b5c70dbe4d9b4baf606d47604/53a9f7bf/3c191/5/1 Softpedia Secure Download (UK)]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

Coming soon

= Acknowledgements =

==Volunteers==
URL Checker is developed by a worldwide team of volunteers. The primary contributors to date have been:

Lead developer [https://www.owasp.org/index.php/User:Mr_Craig_Fox Craig Fox]

==Others==

TBC

= Road Map and Getting Involved =
As of June 2014, the priorities are:
*

Involvement in the development and promotion of URL Checker is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Build upon the source, ensuring it's approved, tested and original credits are maintained.
Use in testing, give feedback and distribute as much as possible
Contribute ideas and suggestions

=Project About=
{{:Projects/OWASP_URL_Checker_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

User:Mr Craig Fox

2018-12-17T08:41:40Z

Mr Craig Fox: General update with URL's.

Craig Fox started programming and became interested information security since his early twenties and has been heavily involved since. For more information, see some of the below external links:

[https://bugcrowd.com/MrCraigFox Bug Crowd]

[https://www.linkedin.com/in/w00t/ LinkedIn]

[https://www.indiedb.com/members/foxygamesindiedb/games IndieDB]

[https://pastebin.com/u/Foxy1986 PasteBin]

Manchester

2014-08-22T10:40:09Z

Mr Craig Fox:

{{Chapter Template|chaptername=Manchester|extra=

This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter.

Follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter.
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}

= Next Meeting =
'''Date:''' Monday 8th September 2014

'''Location:''' PwC (@PwC_North) (TBC)

'''Sponsors:''' Pentest

'''Registration:''' TBC

'''Speakers:''' Rich Moore, XML External Entities; Craig Fox, Social Engineering

'''Talk: Manipulation 101 (Social engineering)'''

This talk will teach you about social engineering from basic concepts to real life examples, it will discuss why it's so powerful, relevance to penetration testing, common targets in a corporate environment and how, if at all possible it can be prevented - providing a brief, yet fully scoped introduction to the art of human manipulation.

'''Speaker: Craig Fox'''

Craig started researching IT Security and programming within his early teen years and later pursued a career within these fields doing multiple courses and various relevant jobs. He setup his own software company in 2009 [http://www.dreamwalker-software.com/ Dreamwalker Software] and had his security tools featured on many infosec websites and Pentest magazine and has also created the [https://www.owasp.org/index.php/OWASP_URL_Checker OWASP URL Checker].

Several months back he joined [http://www.pentest.co.uk/ Pentest ltd] as a penetration tester which has enabled him to learn a lot and respectively put his training and experience to practice in live testing which is incredibly challenging yet fun.

'''Schedule and details to be confirmed.'''

OWASP is a non-commercial volunteer led organization. If you find the networking, talks or content useful, please consider whether you can help out in providing facilities, locations, talks or a donation to the cause. Thanks. If you would like to talk at future meetings, or know someone who may be interested, then please get in touch via the mailing list or one of the chapter leaders. If you have any requests or ideas for topics we would also love to hear from you.

= Upcoming Events =
We plan to hold quarterly events but the precise date may not be confirmed (TBC), in which case the list below gives the date of the week commencing (w/c).

* 13th May 2014
* w/c 11th August TBC
* w/c 10th November TBC
* w/c 9th February TBC

Please get in touch if you would like to speak at a Manchester event, or can help out in providing facilities, locations, talks or a donation to the cause - we would be delighted to hear from you.

Everyone is welcome to join us at our chapter meetings.

= Past Events =

'''2014 Dates'''

[[2014_05_13_Manchester|13th May]]

[[2014_02_27_Manchester|27th February]]

'''2013 Dates'''

[[2013_04_30_Manchester|30th April]]

'''2012 Dates'''

[[2012_09_11_Manchester|11th September]]

[[2012_05_30_Manchester|30th May]]

[[2012_02_01_Manchester|1st February]]

'''2011 Dates'''

[[2011_11_16_Manchester|16th November]]

[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter

[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter

'''2010 Dates'''

[[8th_December_Leeds|8th December]] As part of the Leeds Chapter

= Chapter Leaders =

The chapter leaders are:

* [[User:Simon Bennetts|Simon Bennetts]]
* [[User:Simon Ward|Simon Ward]]
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]
* Ben Fountain
* Ben Ramduny

We are actively seeking more chapter leaders - please get in touch if you would like to become one!

= Sponsorship =

We are looking for organizations to sponsor the Manchester chapter.

You can sponsor the chapter for one year at the following levels:
* £300 Silver
* £600 Gold
* £1200 Platinum

You can also sponsor a meeting by hosting the event or donating £100.

If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.

= Local Organizations =

Other related organizations in the Manchester area:

* [http://manchester.bcs.org/ BCS Manchester]
* [http://geekup.org/ GeekUp]
* [http://madlab.org.uk/ MadLab]
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]
* [http://www.manlug.org/ Manchester Linux Users Group]
* [http://nuksg.org/ Northern UK Security Group]
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]

Please get in touch with one of the chapter leaders to get your organization listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.

__NOTOC__ <headertabs />

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]

OWASP URL Checker

2014-06-24T22:58:31Z

Mr Craig Fox:

OWASP URL Checker

2014-06-24T22:56:21Z

Mr Craig Fox:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP URL Checker==

Screen shot:

[[File:urlscanscreen.jpeg|link=]]

==Introduction==

An open source editable tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.

==Description==

This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database, for instance if your target is http://google.com and in the database you have /wp-login.php it would then check if: http://google.com/wp-login.php is available on that site by checking the response. It's a form of of scanning to help you exploit and find weaknesses within the web server. The first time you run the tool it will create a database "restuls.txt" for you, and add a few URL parameters to get you started. But you can add to or change the database as much as you wish and therefore, it's as powerful as you'd like it to be. It gives you real time feedback and the option to save all the successful results. You'll also be happy to know it's open source, and I've also included a win32 compiled version (requires .NET 3.5+). Video tutorial here http://youtu.be/yvc4q7YWpdo

==Original source code upon release==

<pre>
#include<windows.h>
#include<iostream>
#include<fstream>
#include<string>
#include<wininet.h>
#include <limits>

using namespace std;
#pragma comment (lib, "wininet.lib")

//Simple function to return a bool value to check whether URL is valid
bool ValidURL(string url)
{
bool result = false;

HINTERNET hSession = InternetOpen("ValidURL", INTERNET_OPEN_TYPE_PRECONFIG, 0, 0, 0);
if (hSession != 0)
{
HINTERNET hFile = InternetOpenUrl(hSession, url.c_str(), 0, 0, INTERNET_FLAG_RELOAD, 0);
if (hFile != 0)
{
int code = 0;
DWORD codeLen = sizeof(int);
HttpQueryInfo(hFile, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &code, &codeLen, 0);

result = code == HTTP_STATUS_OK || code == HTTP_STATUS_REDIRECT;

InternetCloseHandle(hFile);
}

InternetCloseHandle(hSession);
}

return(result);
}

int main()
{

//Just intro
SetConsoleTitle("Vulnerable URL checker 3.0 pentest edition by Dreamwalker");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 7);
cout<<"----------------------------------------------------------------------------"<<endl;
cout<<"\tVulnerable URL checker v3.0 pentest edition coded by Dreamwalker"<<endl;
cout<<"\t\t\thttp://Dream-Walker.weebly.com/"<<endl;
cout<<"----------------------------------------------------------------------------"<<endl;

/*
This tool relies on the urls.txt file which is where is gets all the urls
from, essentially working like a database. Here we check if urls.txt exists.
If so, we continue to the scanning section, if not we create a new file and
add some basic URL extensions to it.
*/

cout<<"Checking database...";
ifstream reader("urls.txt",std::ios::in);
if(!reader.good())
{

cout<<"Database not found, writing a new one...";
ofstream writer("urls.txt",ios::app);

//write some basic url extensions to our new database
string defaulturls[20] = {"/robots.txt","/wp-login.php","/login/","/login.php","/admin.asp","/adm/",
"/admin/","/admin.php","/admin/home.php","/admin/cp.asp","/_vti_pvt/","/_vti_pvt/service.pwd","/_vti_inf.html","/cgi-bin/",
"/~root","/cache/","/sitemap.xml","/index.php?catid=","/index.php?id=","/login.shtml"};
for(int i = 0; i < 20; i++)
writer<<defaulturls[i]<<endl;
writer.close();

//wait 20 seconds, and inform user they need to restart so db can be loaded into mem correctly, then exit
cout<<"DONE\nA new database \"urls.txt\" has now been created, please restart this tool"<<endl;
cout<<"I will automatically close in 20 seconds..."<<endl;
Sleep(20000);
reader.close();
return 0;

}
if(!reader)
{
cout<<"\nError reading database, ensure urls.txt is in\n"
"the same directory as this application, if you do\n"
"and it still isn't working, try running this program\n"
"as Administrator as it could be an access error\n\nclosing..."<<endl;
Sleep(20000);
return-1;

}cout<<"DONE!"<<endl;

//-------------File handling all sorted---------------//

//!TODO: the file_url array param needs updating to the MAX allowed
string original_input_url, file_url[20000], full_url, successes;

cout<<"Enter full URL (ignore last forward slash, for instance http://google.com):\n>";
cin>>original_input_url;

//PERFORM INITIAL CHECK TO SEE IF URL IS VALID
cout<<"Performing check to see if website is valid"<<endl;

if(ValidURL(original_input_url) == false)
{
cout<<"Invalid URL, closing..."<<endl;
Sleep(10000);
return 0;
}
else cout<<"That worked, now scanning files/directories..."<<endl;
cout<<"\n##############################################################"<<endl;

//NOW SCAN FILES/DIRECTORIES
int i = 0;
while (!reader.eof())
{
i++;
getline(reader,file_url[i]);
full_url = original_input_url;
full_url += file_url[i];

if(ValidURL(full_url) == false)
{
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),12);
cout<<full_url<<" FAILED"<<endl;
}
else
{
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE),10);
cout<<full_url<<" SUCCESS!"<<endl;
successes+=full_url+"\n";//store results for later saving
}

//temp: if url's are > 20000, then abort due to array bounds
if(i >= 20000)
{
cout<<"Maximum URL's allowed reached, aborting..."<<endl;
break;
}

}

SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 7);
cout<<"\n##############################################################\nFinished, do you want me to save the sucessful results? y/n:"<<endl;
string answer;
cin>>answer;

//
if((answer == "y") || (answer == "Y"))
{
ofstream writer2("results.txt");
if(!writer2)
{
cout<<"Error writing file!"<<endl;
return -1;
}
writer2<<successes<<endl;
writer2.close();
cout<<"OK, your results are saved in \"results.txt\""<<endl;
}

cout<<"Closing..."<<endl;

//sleep for a bit
reader.close();
Sleep(6000);

return 0;

}

</pre>

==Licensing==
OWASP URL Checker is free to use. It is licensed under the GNU GPL v3 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is URL Checker? ==

OWASP URL Checker provides:

* .exe (executable) and *.cpp (source)

== Project Leader ==

[mailto:craig.fox@owasp.org Craig Fox (OWASP email)]

[http://www.dreamwalker-software.com/ Dreamwalker Software]

[http://www.dream-walker.weebly.com/ DWS sub-domain]

[http://pentest.co.uk/index.html Pentest Ltd]

[https://www.facebook.com/Dreamwalker1986 fb profile]

== Related Projects ==

Visit Dreamwalker software page [http://www.dreamwalker-software.com/software.html here]

== Quick Download ==
[http://www.dreamwalker-software.com/uploads/2/5/3/9/25390328/url_checker_v3_pentest_edition.zip Direct download server #1]

[http://www.softpedia.com/dyn-postdownload.php/fe910f128856e49ea01d2e3fcb37a1bc/53a9f7bf/3c191/4/1 Softpedia Secure Download (US)]

[http://www.softpedia.com/dyn-postdownload.php/01b1561b5c70dbe4d9b4baf606d47604/53a9f7bf/3c191/5/1 Softpedia Secure Download (UK)]

== Email List ==
[https://lists.owasp.org/mailman/listinfo/owasp_url_checker Sign up!]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

Coming soon

= Acknowledgements =

==Volunteers==
URL Checker is developed by a worldwide team of volunteers. The primary contributors to date have been:

Lead developer [https://www.owasp.org/index.php/User:Mr_Craig_Fox Craig Fox]

==Others==

TBC

= Road Map and Getting Involved =
As of June 2014, the priorities are:
*

Involvement in the development and promotion of URL Checker is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Build upon the source, ensuring it's approved, tested and original credits are maintained.
Use in testing, give feedback and distribute as much as possible
Contribute ideas and suggestions

=Project About=
{{:Projects/OWASP_URL_Checker_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP URL Checker

2014-06-24T22:31:27Z

Mr Craig Fox: Updated by tool author with links, further info etc

File:Urlscanscreen.jpeg

2014-06-24T22:26:59Z

Mr Craig Fox: