I have some questions/comments about this plugin.
It seems to me that the existing plugin checks for specific text in a
response. I think the specific text is present only when a more
serious .net error is encountered.
I believe that if a .net error message is displayed at all, it should be
a finding. Maybe only informational, but still a finding.
Would you agree?
Further there are some common .net errors that occur based on the
resources WebResource.axd and ScriptResource.axd.
I find that these two resources can be made to cause .net errors by
adding bogus information to the d parameter:
WebResource.axd
ScriptResource.axd
(example: WebResource.axd?d=junk)
You can find examples here:
http://www.google.com/search?q=inurl%3AScriptResource.axd+intitle%
3Awebsite+problem&btnG=Search
I would like to enhance this plugin, however I wanted this to be
reviewed by the mailing list first.
Please let me know your thoughts on updating the plugin to both notify
of .net errors and adding *Resource.axd checks.
thanks,
-Robert
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
