Achim,
On Tue, Nov 15, 2011 at 10:34 AM, Achim Hoffmann <webse...@sic-sec.org> wrote:
> Hi all,
>
> I fully agree with Taras.
>
> Question before I dig deeper:
> does w3af currently identify (correctly) which parts of the URL
> are the INFO_PATH (actually tartofdefence.com h/bar/123 part, see
> below)?
What do you mean by INFO_PATH?
> Achim
>
>
> Am 15.11.2011 14:25, schrieb Taras:
>> Hi, all!
>>
>> Andres, when I have suggested this feature in w3af I didn't mean *full*
>> REST specification support.
>>
>> Today a lot of web applications (especially based on frameworks like
>> Django or in the old way by Apache mod_rewrite module) uses REST-like
>> URLs e.g.:
>>
>> http://example.com/foo/bar/123
>>
>> In this URL we (not scanner) can see such parts as:
>>
>> * foo - controller name
>> * bar - action name
>> * 123 - parameter value
>>
>> From classic web spider point of view it looks like directory hierarchy
>> - it is incorrect behavior! All these parts we need to fuzz!
>>
>> What I suggest to implement is rules for such URLs. It can be done as
>> http-settings
>> file option called "url-rules" (name is not important):
>>
>> /top/users/%s/view/%d/
>> /controller/action/%d/
>> ...
>>
>> %s and %d are special tokens which can be used by w3af to determine fuzz
>> points.
>>
>>
>>> This email is just a conversation starter for defining how we're
>>> going to deal with REST urls.
>>>
>>> REST, as described in [0], has two important moving parts:
>>> 1- URLs that "look nice" (no parameters: /people/1/phones/23 )
>>> 2- Heavy usage of HTTP methods like GET, POST, DELETE, PUT.
>>>
>>> The first question that I would ask myself is... do we want to
>>> support 1 and 2? Only 1? What is really needed by our users?
>>>
>>> If we only want to implement #1, it should be easy enough, since
>>> we already have something similar (see: mutantFileName.py). This
>>> mutant, together with the fuzzer.py (more specifically
>>> _createFileNameMutants) will behave like this:
>>>
>>> - Original URL: http://host.tld/foo/spam-eggs.jsp
>>> - Input strings: [ '<script>alert(1)</script>', 'ping localhost']
>>> - Output URLs:
>>> * http://host.tld/foo/<script>alert(1)</script>-eggs.jsp
>>> * http://host.tld/foo/spam-<script>alert(1)</script>.jsp
>>> * http://host.tld/foo/ping%20localhost-eggs.jsp
>>> * http://host.tld/foo/spam-ping%20localhost.jsp
>>>
>>> As you can see, it will split the filename using any character
>>> that's not a letter and put the strings into those positions. If we
>>> change this from just the filename into the whole path, it should work
>>> and inject into each URL section.
>>>
>>> Please note that the current implementation only performs file
>>> name fuzzing if misc-settings fuzzFileName is enabled (which is off by
>>> default). Should we also think about this and potentially modify this
>>> to true?
>>>
>>> Regarding #2 , I don't see a reason for it not to work with
>>> w3af... but I could be mistaken. We should perform some tests to check
>>> if w3af parses and correctly sends requests associated with forms that
>>> use PUT, DELETE, etc. The meta-question here is... do we want w3af to
>>> send requests that will "DELETE" stuff?
>>>
>>> Ok... that's enough for a conversation starter :) What do you guys
>>> think?
>>>
>>> [0] http://microformats.org/wiki/rest/urls
>>>
>>> Regards,
>>
>>
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
