Taras,
On Tue, May 19, 2009 at 6:59 PM, Taras P. Ivashchenko
<[email protected]> wrote:
>
> Hi, Dimitri!
>
> Thanks for interesting in W3AF!
> How often in real there is such situation (when some input param is echoed
> back to the browser after url decoding)?
I also think that it's a little bit strange to find, but I've found
some web apps that behave like this.
>
>> Hi guys,
>> I played with the w3af for the first time today. I'm specifically
>> interested in the XSS scanning (crawling + fuzzing).
>>
>> It seems w3af does not catch the case when the site echoes the
>> double-encoded Javascript.
>> I added the following tests in xss.py, function _get_xss_tests :
>>
>> # D.S - url escaped injection string
>>
>> xss_tests.append(('%3CSCrIPT%3Ealert%28%22RANDOMIZE%22%29%3C/SCrIPT%3E',
>> [browsers.ALL, ]))
>>
>> # D.S - double quoted injection string
>>
>>
>> xss_tests.append(('%2522%253E%253Cscript%253Ealert%2528/RANDOMIZE/%2529%253C/script%253E',
>> [browsers.ALL, ]))
>>
>> then it does pick it up.
>>
>> Here's the PHP file that I used to test it:
>>
>> <?php
>> $param = $_GET['param'];
>> echo "Initial param: $param<BR>\n";
>> $param_esc = urldecode($param);
>> echo "Param decoded: $param_esc <BR>\n";
>> // compose the URL to the current page
>> $url = $_SERVER{'HTTPS'} ? 'https://' : 'http://';
>> $url .= $_SERVER{'SERVER_NAME'};
>> if ($_SERVER{'SERVER_PORT'}) {
>> $url .= ":" . $_SERVER{'SERVER_PORT'};
>> }
>> $url .= $_SERVER{'PHP_SELF'};
>> if ($_SERVER{'QUERY_STRING'}) {
>> $url .= '?' . $_SERVER{'QUERY_STRING'};
>> } else {
>> $url .= '?' . 'param=a';
>> }
>> echo '<A href="' . $url . "\">$url</A>";
>> ?>
>>
>> and here's the related w3af output with the added tests:
>>
>> Starting xss plugin execution.
>> Cross Site Scripting was found at: "[URL]", using HTTP method GET. The sent
>> data was:
>> "param=%252522%25253E%25253Cscript%25253Ealert%252528/9v5SFsQ4yG8Wd/%252529%25253C/script%25253E".
>> This vulnerability affects ALL browsers. This vulnerability was found in the
>> request with id 45.
>>
>> One request - would it be possible to add an option in the audit config xss:
>> set numberOfChecks all
>> so that when you are modifying the source you would not have to worry about
>> the number of tests you run. It would be also interesting to give each test
>> a short but descriptive name (like "double.enc") and allow the user to
>> specify exactly which tests they want to run.
>>
>> Cheers, may the brute force be with you! :)
>>
>> Dimitri
>>
>
>
> --
> Тарас Иващенко (Taras Ivashchenko), OSCP
> www.securityaudit.ru
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
