I don’t have reason to use Visio very often, pretty much restricting it to creating a flowchart to dump into Word or PowerPoint or when creating models during Threat Modeling.  I use it on average maybe once every two months or so; obviously I am not a Visio expert by any means but I suspect most people in a similar position to me are much the same way.

 Thus it came as a bit of a surprise when I found out it can create maps of websites almost painlessly.  Selecting “New->Web Diagram->Web Site Map” will allow you to enter a web address and send Visio out to spider the targetted website starting at that location.  Depending on the complexity of the website this can take thirty seconds to several minutes, but once Visio is done spidering the website it will create a purdy little diagram showing all of the interrelationships between web resources.  In addition to normal pages served up it also spits out various included resources, such as .js and .css files that the website utilizes (this is configurable).

The creation of the map isn’t flawless; it doesn’t accept credentials for form authentication but if the site is foolishly only protected by HTTP authentication it will accept credentials for that.  Visio doesn’t try to brute force or even intelligently guess the presence of files or folders but rather just follows references in the pages served up. AJAX confuses the spider somewhat.  Dynamically created URLs (like Wiki produces) can confuse it. 

There are certainly more thorough tools for crawling websites to create a profile for them but regardless Visio has its strengths.  It is very effective at verifying that the presentation layer isn’t exposing access to protected resources.  It is quick and simple to use.  Most usefully though, it creates a better visual map of a website than pretty much any other tool I have played with, and this is greatly valuable to me.  Just glancing at the Visio output gives me a quick relationship between unprotected resources on the website and reaffirms the path of navigation through the site.  I think the hierarchical display is most useful to designers of websites to reaffirm relationships of resources, but for me as a penetration tester it gives me a very early and easy to generate view of the website, as well as provide me with a quick list of early targets to try and compromise.  It is by no means the only scanner I will run on a website when doing anything more than a cursory glance, its flaws are pretty big and it is far from thorough, but for quick 1000′ views of a sites publically discoverable pages in a couple minutes it is a good tool.

 I wonder what else Visio can do that I don’t know about.

~Joshbw

Tags: Security Tools, Visio, Web Security