Taras, On Wed, Feb 4, 2009 at 7:56 PM, Taras P. Ivashchenko <naplan...@gmail.com> wrote: > Andres, > >> I've been thinking about the different ways to handle "long forms": >> >> - Random values: If we have a form with a lot of >> combo/radio/select and the permutations of all of them exceed the >> number of max permutations, one of the options would be to perform a >> random choice of the combo box values and fuzz the other parameter. >> The problem with that is that if the user scans the site again, after >> finding something in a first scan, the probabilities say that he may >> not find the vulnerability again! Example: > ... >> - Top and bottom values: If we have a form with a lot of >> combo/radio/select and the permutations of all of them exceed the >> number of max permutations, one of the options would be to select the >> top and bottom values of the combo box and fuzz the other parameter. I >> think that this is the best option and gives the highest code coverage >> with the less requests. Example: > ... >> What do you think about the top/bottom idea? > I like it! So it will be great if we will have 3 options for > parsing/generating mutants: > - all variants of form elements values > - random values > - top/bottom values
I would remove the random values, because they'll be confusing for people when they re-run a scan. I would leave: - all variants of form element values - top/bottom values - top/middle/bottom values (maybe this could be the default?) > As I think after I will finish develop the first option other two will > be trivial. Yes, once you have one working... it's 10 more minutes of work+testing to make the other one work. > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
