I promised last time that I would do a git extractor and, yes, I came across a site in the real world that used git to manage its releases. A quick script later and I had its web.config file and all of the internal goodies.
There's a much more detailed write up and the tool at the corporate blog of the company I work for.
This is an expansion of part of a talk I did for OWASP East Midlands.
If you actually read the articles posted up here you may have read about the svnpristine extractor that was written in October 2012 and not released until February 2013 (hey, it takes me a while).
So, you're sat on a customer site, and nothing is going right: patching is up to date, passwords are all set to complex values, user input is validated, you have to wear a suit and even the coffee doesn't taste very nice.
Oh, but wait! That scan against the internal web server reveals that:
Some of you may have been observant and noticed that Nikto has alerted about the lack of the
X-Frame-Options header from web servers. This headers gives hints to the user agent on how it should be handled from within a frame, effectively preventing click-jacking, or the overlaying of information over a frame to fool a user into clicking on something they don't want to.
Recently all new Nikto development has moved from Assembla to GitHub!
We're happy to announce the immediate availability of Nikto 2.1.5, and that Nikto is now sponsored by Sunera LLC!
Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.