Hi, all! Andres, when I have suggested this feature in w3af I didn't mean *full* REST specification support.
Today a lot of web applications (especially based on frameworks like Django or in the old way by Apache mod_rewrite module) uses REST-like URLs e.g.: http://example.com/foo/bar/123 In this URL we (not scanner) can see such parts as: * foo - controller name * bar - action name * 123 - parameter value From classic web spider point of view it looks like directory hierarchy - it is incorrect behavior! All these parts we need to fuzz! What I suggest to implement is rules for such URLs. It can be done as http-settings file option called "url-rules" (name is not important): /top/users/%s/view/%d/ /controller/action/%d/ ... %s and %d are special tokens which can be used by w3af to determine fuzz points. > This email is just a conversation starter for defining how we're > going to deal with REST urls. > > REST, as described in [0], has two important moving parts: > 1- URLs that "look nice" (no parameters: /people/1/phones/23 ) > 2- Heavy usage of HTTP methods like GET, POST, DELETE, PUT. > > The first question that I would ask myself is... do we want to > support 1 and 2? Only 1? What is really needed by our users? > > If we only want to implement #1, it should be easy enough, since > we already have something similar (see: mutantFileName.py). This > mutant, together with the fuzzer.py (more specifically > _createFileNameMutants) will behave like this: > > - Original URL: http://host.tld/foo/spam-eggs.jsp > - Input strings: [ '<script>alert(1)</script>', 'ping localhost'] > - Output URLs: > * http://host.tld/foo/<script>alert(1)</script>-eggs.jsp > * http://host.tld/foo/spam-<script>alert(1)</script>.jsp > * http://host.tld/foo/ping%20localhost-eggs.jsp > * http://host.tld/foo/spam-ping%20localhost.jsp > > As you can see, it will split the filename using any character > that's not a letter and put the strings into those positions. If we > change this from just the filename into the whole path, it should work > and inject into each URL section. > > Please note that the current implementation only performs file > name fuzzing if misc-settings fuzzFileName is enabled (which is off by > default). Should we also think about this and potentially modify this > to true? > > Regarding #2 , I don't see a reason for it not to work with > w3af... but I could be mistaken. We should perform some tests to check > if w3af parses and correctly sends requests associated with forms that > use PUT, DELETE, etc. The meta-question here is... do we want w3af to > send requests that will "DELETE" stuff? > > Ok... that's enough for a conversation starter :) What do you guys think? > > [0] http://microformats.org/wiki/rest/urls > > Regards, -- Taras http://oxdef.info ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop