Tuesday, May 4, 2010

More on WebDAV Testing

Since the release of DAVTest, there have been two developments which seemed worth mentioning here:
  • Ryan Linn released a Metasploit module based on the DAVTest idea. Like DAVTest, it attempts to use mathematical operations to determine if code can execute on the web server.
  • Chris Gates posted a good article titled "More with Metasploit and WebDAV," which gives a nice tutorial on how to exploit misconfigured web servers using Ryan Linn's module with Metasploit. It also points out a nice trick feature with IIS/ASP.
I'm glad the idea of using simple/standard operations is spreading to other tools, as it's a really efficient way to determine what you can and can't do remotely via WebDAV. What we need are simple tests (and back-doors) in more server-side languages.

I'm going to try and whip up a new release of DAVTest in the next week or so, incorporating a few ideas from these guys, as well as a bit of housekeeping and other updates.


If you have suggestions for the next release or tests for more languages, reply here or send me an email.