OWASP Mantra’s MoC Crawler

November 11, 2011, by | Start Discussion

Hope all of you enjoyed Diwali.

This time we will be discussing about MoC Chrome Crawler, a crawler extension written in HaXe for Google Chrome platform.

Like any other crawler program it can be used to crawl web pages to find interesting resources and links including, but not limited to:-

  • Higher privilege pages like administrator pages
  • Important files and/or documents
  • Configuration files
  • Log Files etc.

The use of any tool is limited only by the imagination of the user, so this is going to be a demo which can show you how to use your imagination in such a way that even a simple tool can be used to its highest degree.

Currently OWASP Mantra Moc is not available in Matriux, however we will make sure it’s available by the time you are ready to go on! You have our promise and from team Mantra 😉

You can get MoC Pre Alpha either from the official website (http://www.getmantra.com/download/index.html) or you can access it from Arsenal > Framework > MoC.

After running MoC, you should activate the extension first. For this, click on Extensioner icon on the top right corner next to the address bar and then Network Utilities section.
 

Figure 1
 

 

Now you will be able to see a Chrome Crawler icon.

 Figure 2

 Right click on the Chrome Crawler icon and there you can customize:-
•    The file types you would like to be scanned
•    Whether scanning has to be paused while you are working with multiple tabs
•    The crawl depth or number of simultaneous page requests at any given time etc.
Save the settings once you have completed. configuring it.

 

 

 

Figure 3
Now let’s go ahead and crawl some web site to see how it works.
 
Figure 4
Nice, looks like we are lucky. An admin panel is there at /adminpanel
What’s next?

After getting hands dirty with some SQL command injections, we landed on to the administrative panel of the website. What else can be done with MoC other than this?

Well most of the times, automated security scanners generates a huge amount of traces to the server log. Especially input field fuzzing activities performed by these scanners are noisy and can make lots of entries in the server logs.

Figure 5
Here comes MoC crawler that can be used to automatically delete those big junk, just check the *delete* parameter as in this case it was example.org/adminpanel/registration_details.php?view=delete&sno=9127 and press crawl to delete those entries automatically.

Note: Sometimes because of JavaScript at the client side, crawling may not work.It will keep throwing back confirmation dialogues. So in that case to stop creating any pop-up messages just go to wrench menu -> options – > Under the Hood -> Content Settings -> and check “do not allow any site to run JavaScript” to disable JavaScript.

Figure 6
Do let us know your comments and queries at report@matriux.com

Also team Matriux is looking for enthusiasts to its new Project – A distribution focused on Malware interested folks can mail at report@matriux.com

Happy hacking 🙂

Team Matriux
http://matriux.com/

 

Twitter : @matriuxtig3r

 

 

 

 

 

Author bio not avialable

Leave a Reply