Re: [W3af-develop] plugins/discovery/dotNetErrors.py

Sun, 12 Apr 2009 11:04:53 -0700 

Robert,

    Please read inline:

On Thu, Apr 9, 2009 at 2:26 PM, Robert Carr <carr.m.rob...@gmail.com> wrote:
> I have some questions/comments about this plugin.
>
> It seems to me that the existing plugin checks for specific text in a
> response.  I think the specific text is present only when a more serious
> .net error is encountered.
>
> I believe that if a .net error message is displayed at all, it should be a
> finding. Maybe only informational, but still a finding.
>
> Would you agree?

Yep, I agree, it doesn't seem to be a vulnerability... it's just an info object.

> Further there are some common .net errors that occur based on the resources
> WebResource.axd and ScriptResource.axd.
>
> I find that these two resources can be made to cause .net errors by adding
> bogus information to the d parameter:
>
> WebResource.axd
> ScriptResource.axd
>
> (example: WebResource.axd?d=junk)
>
> You can find examples here:
>
> http://www.google.com/search?q=inurl%3AScriptResource.axd+intitle%3Awebsite+problem&btnG=Search
>
> I would like to enhance this plugin, however I wanted this to be reviewed by
> the mailing list first.
>
> Please let me know your thoughts on updating the plugin to both notify of
> .net errors and adding *Resource.axd checks.

Sure! Everything ok by me, just change it =)

Cheers,

> thanks,
>
> -Robert
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>



-- 
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to