Posts Tagged ‘penetration testing’

Web Application Testing – Parsing Directory and File Listing

September 9, 2014 Leave a comment

During web application testing, it is useful to get the directory and file listing of the root of the web application that you are testing so as to ensure complete coverage of the application.

You can use the below command to get a files and directories listing of the web application root

ls –laR /var/www > cd–filelist.txt

I wrote a simple script to parse and convert the output so that I can pipe the URLs directly to Burpsuite.


The script can be found at


Below is an example of how you can use the script.

python -f cd-filelist.txt > filelist_out.txt

After running the command, you must modify the filelist_out.txt to search/replace each lines with the FQDN of the website.

E.g. replace /var/www/html/ with

Next, start Burpsuite and point the proxy listener to port 8080.

The next line will use send each URLs in teh filelist_out.txt to Burpsuite using Curl and Xargs.

cat filelist_out.txt | xargs curl –user-agent “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36” -k -x http://localhost:8080 >/dev/null 2>&1


Sit back and enjoy some coffee as this process could take some time.

Speed Improvement for Metagoofil (Intelligence Gathering)

January 9, 2012 Leave a comment

I made some speed bumps to the source code for metagoofil by adding in some threading code to speed up the downloading process.
The below tests were done on a vmware guest with 4GB of ram with 1 processor (2 cores).

Results might varies on your machine.

For the below test, I ran metagoofil against for 100 pdfs.

Results show that you can get quite a significant speed improvement if you are downloading a lot of documents for analysis with metagoofil.

Download Links

If you adventurous enough to try the patch, you can download the patch or the updated file from the below links

Updated File:

Let me know if you face any issues.


Get every new post delivered to your Inbox.