White Hat Institute

Find default misconfiguration and insecure files with Spaghetti

Spaghetti is a web-app security scanner software. It is intended to discover different default and insecure documents, configurations, and misconfigurations. Spaghetti is based on python2.7 and can keep running on any platform which has a Python environment.

You can download this tool from the https://github.com/cyberheartmi9/Spaghetti page.

default misconfiguration, spaghetti 1

Clone Spaghetti to the “/opt” directory.

Ex: (root@kali:/opt# git clone https://github.com/cyberheartmi9/Spaghetti.git).

Then navigate to the “Spaghetti” folder and install the requirements.

Ex: (root@kali:/opt/Spaghetti# pip install -r requirements.txt).

To start the tool, use the “python” command.

Ex: (root@kali:/opt/Spaghetti# python spaghetti.py).

It will bring up the help page and usage information.

spaghetti 3

Let’s see this tool in action and perform a full scan (-s 0) using a deep crawler (- -crawler) on our webserver.

Ex: (root@kali:/opt/Spaghetti# python spaghetti.py -u -s 0  – -crawler).

Since we used the “ – -crawler” operator, the whole process will take some time to complete. The Spaghetti will try to reach every possible page and retrieve every possible misconfiguration, as you can see in the screenshot below.

spaghetti 2

This is indeed a useful tool for scanning web applications. It has the potential to collect data as well as attack a web service. Spaghetti is a valuable tool that could come in handy during a red team engagement.