[W3af-develop] REST support

Tue, 15 Nov 2011 03:35:50 -0800 

List,

    This email is just a conversation starter for defining how we're
going to deal with REST urls.

    REST, as described in [0], has two important moving parts:
        1- URLs that "look nice" (no parameters: /people/1/phones/23 )
        2- Heavy usage of HTTP methods like GET, POST, DELETE, PUT.

    The first question that I would ask myself is... do we want to
support 1 and 2? Only 1? What is really needed by our users?

    If we only want to implement #1, it should be easy enough, since
we already have something similar (see: mutantFileName.py). This
mutant, together with the fuzzer.py (more specifically
_createFileNameMutants) will behave like this:

    - Original URL: http://host.tld/foo/spam-eggs.jsp
    - Input strings: [ '<script>alert(1)</script>', 'ping localhost']
    - Output URLs:
        * http://host.tld/foo/<script>alert(1)</script>-eggs.jsp
        * http://host.tld/foo/spam-<script>alert(1)</script>.jsp
        * http://host.tld/foo/ping%20localhost-eggs.jsp
        * http://host.tld/foo/spam-ping%20localhost.jsp

    As you can see, it will split the filename using any character
that's not a letter and put the strings into those positions. If we
change this from just the filename into the whole path, it should work
and inject into each URL section.

    Please note that the current implementation only performs file
name fuzzing if misc-settings fuzzFileName is enabled (which is off by
default). Should we also think about this and potentially modify this
to true?

    Regarding #2 , I don't see a reason for it not to work with
w3af... but I could be mistaken. We should perform some tests to check
if w3af parses and correctly sends requests associated with forms that
use PUT, DELETE, etc. The meta-question here is... do we want w3af to
send requests that will "DELETE" stuff?

    Ok... that's enough for a conversation starter :) What do you guys think?

[0] http://microformats.org/wiki/rest/urls

Regards,
-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to