Alpha testers wanted

[bombshop]

I am in need of alpha testers for my site http://crwlr.net

Any help about bug submissions, property implementation, enhancements etc. is welcome.

What is crwlr.net
crwlr.net is a site about header indexing. It scans for IP blocks to find web servers and it indexes the header information the server discloses. So you can search for the IP's running Apache web server etc..

Any question is welcome.

[Goatboy]

Some of the links are generated incorrectly. For example, where it shows the latest IP that was scanned, it adds two dots and a space before the last octet, instead of just a single dot.

[bombshop]

Some of the links are generated incorrectly. For example, where it shows the latest IP that was scanned, it adds two dots and a space before the last octet, instead of just a single dot.

Fixed. Thank you for the quick heads up

[Goatboy]

I noticed that it took a while to scan the 190.24.148.X range. Specifically, it took 2 days to get from 190.24.148.142 to 190.24.148.160. Is this normal? How is scanning handled?

[bombshop]

For now the scanning is handled using php's built in functions. I didn't have time to write it in perl or something
Also i am having some server related problems, the code that run flawlessly on my home server gives me problems on my hosting account. The code stops executing after some undefined interval. After it i have to start it again. That's why it takes that long.

[Goatboy]

I found a bug. Visit the following URL: http://crwlr.net/?search=&q=herp''&[]=derp

It just redirects back to the main page for some reason.

[bombshop]

Hmm that's interesting, it redirected when i clicked on the link but it didn't redirect when i post the address to the address bar.. I'll see what causes it.

[Goatboy]

This is me with admin access (click for bigger images):





You are very vulnerable to both XSS and social engineering. The link I gave you was a cookie stealer. I promise I have not done anything malicious with this, but you should really look into it. I also entered my IP into the database with a custom HTTP header containing what will turn into a stored XSS attack if I am correct. Ciao.

[bombshop]

Wow that's nice work! Please let me understand, you could get the admin access while my cookie was valid or whenever you want? Thanks again, it is good to know that it is vulnerable

[jgreen45]

You are very vulnerable to both XSS and social engineering. The link I gave you was a cookie stealer. I promise I have not done anything malicious with this, but you should really look into it. I also entered my IP into the database with a custom HTTP header containing what will turn into a stored XSS attack if I am correct. Ciao.

Oh god, deja vu for the realistic missions