Hello and welcome to the Tuesday, December 12, 2020,

edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

Rob today wrote about Sitemap.xml, a file that he found pretty useful for penetration testers.

Sitmap.xml can probably pretty well be described as the opposite of robots.

.

It's a standard formatted file that you often leave on a web server in order to give search engines

hints as to what files to prioritize

when they're sputtering.

And then they're often also used, for example, when you see the results being displayed

on a search engine, you may see a couple pages being highlighted.

Now these files are often auto-generated by little scripts, and the one thing that Rob

finds is that, well, they're often somewhat out of date, so sometimes they may lead to pages

that are no longer really in use, and that, of of course sometimes can lead to vulnerabilities.

The other issue where a sitemap.xml comes in handy that it also sometimes lists pages

that aren't linked from other pages within the site, like let's say pages that are created

for specific advertisement campaigns and such.

So that way, if you just would spider the site using traditional tools, well, you would have

missed those specific pages.

Rob, as usual, offers a couple PowerShell scripts and such to deal with

parsing the output of Sitemap.xml. And also simplifying the results and converting the results

into more standard formats. And Apple today released updates for iOS, iPadOS, MacOS, and TVOS, as well as watchOS.

...