-1

I'm not very experienced with information security but know some basics about injection attacks and other web based attacks. Is there a tool / crawler to find all forms and input fields of a whole website?

I know addons for firefox and chrome showing form details of the current viewed website. What I need is a tool like a security scanner / website crawler that automatically scans the whole website for forms and generates a useful file or shows an overview with forms and their input fields. I use linux and want to check a locally developed website for forms and input fields.

edit: I didn't use any security tools before just know some basics from books and articles from the internet

clinical
  • 111
  • 1
  • 4

1 Answers1

2

If you are trying to catalog all possible attack inputs, creating a list of all form input fields would be incomplete and could lead you to having a false sense of security. There are many other potential origins of attack (parameters in the URL is a very common one).

One thing that helped me when I began looking at website security was to start viewing it from the HTTP request level rather than an HTML level. If someone is attacking your site, they will most likely be attacking you form the HTTP request level as well.

I personally use Burp Suite for my security testing. They have a free version and provides you the tools you need to gather a list of all possible HTTP request that can be made to the site.

In addition I have found the Web Application Hackers Handbook to be a very useful tool for understanding security vulnerabilities. Specifically take a look at the Web Application Hacker’s Methodology chapter

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • Thanks for your comment. I dont try to analyze all possible web based attacks. I just need a list of forms and their input fields. Ive read WAHH already (some chapters) and found it very usefull, thanks for recommending. Iam sure theres a tool to get all forms and fields but as it looks like I've to write my own script. http://scrapy.org/ seems to be a good framework for web crawlers. I thought a tool like that must be somewhere in the internet so I dont need to write my own. Thanks for your time and will to help. – clinical Sep 02 '14 at 17:50
  • @ycelik Abe's comment is important. There will not be a tool, because that tool will be incomplete and inaccurate by design. – schroeder Sep 02 '14 at 23:38
  • @schroeder it would be OK if you guys suggest me a complete tool with a part of it that can scan forms – clinical Sep 03 '14 at 07:15
  • @ycelik Abe suggested Burp, which is a powerful tool. Any modern web vulnerability scanner will also provide what you're looking for. – schroeder Sep 03 '14 at 14:21
  • A quick question... I'm on the free version of burp, and I can spider my site and produce a lot of URL's, but I can't see how to list possible input vectors. Is this a feature of the paid scanner section? – square_eyes Jun 28 '15 at 21:53