DAVScan – WebDAV Security Scanner

The New Acunetix V12 Engine


DAVScan is a quick and lightweight WebDAV security scanner designed to discover hidden files and folders on DAV enabled web servers. The scanner works by taking advantage of overly privileged/misconfigured WebDAV servers or servers vulnerable to various disclosure or authentication bypass vulnerabilities.

DAVScan - WebDAV Security Scanner

The scanner attempts to fingerprint the target server and then spider the server based on the results of a root PROPFIND request.


Features

  • Server header fingerprinting – If the webserver returns a server header, davscan can search for public exploits based on the response.
  • Basic DAV scanning with PROPFIND – Quick scan to find anything that might be visible from DAV.
  • Unicode Auth Bypass – Works using GET haven’t added PROPFIND yet. Not fully tested so double check the work.
  • Exclusion of DoS exploit results – You can exclude denial of service exploits from the searchsploit results.
  • Exclusion of MSF modules from exploit results – Custom searchsploit is included in the repo for this. Either overwrite existing searchsploit or backup and replace. This feature may or may not end up in the real searchsploit script.

Usage

You can download DAVScan here:

davscan-master.zip

Or read more here.

Posted in: Hacking Tools, Web Hacking


Latest Posts:


SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.


Comments are closed.