I\'m not very experienced with information security but know some basics about i
ID: 659835 • Letter: I
Question
I'm not very experienced with information security but know some basics about injection attacks and other web based attacks. Is there a tool / crawler to find all forms and input fields of a whole website?
I know addons for firefox and chrome showing form details of the current viewed website. What I need is a tool like a security scanner / website crawler that automatically scans the whole website for forms and generates a useful file or shows an overview with forms and their input fields. I use linux and want to check a locally developed website for forms and input fields.
Explanation / Answer
If you are trying to catalog all possible attack inputs, creating a list of all form input fields would be incomplete and could lead you to having a false sense of security. There are many other potential origins of attack (parameters in the URL is a very common one).
One thing that helped me when I began looking at website security was to start viewing it from the HTTP request level rather than an HTML level. If someone is attacking your site, they will most likely be attacking you form the HTTP request level as well.
I personally use Burp Suite for my security testing. They have a free version and provides you the tools you need to gather a list of all possible HTTP request that can be made to the site.
In addition I have found the Web Application Hackers Handbook to be a very useful tool for understanding security vulnerabilities. Specifically take a look at the Web Application Hacker