Christian, Please see inline,
On Fri, Aug 28, 2009 at 4:44 AM, Christian Frichot<xnt...@gmail.com> wrote: > Hi Andres and Co, > > Been playing with w3af today and had the following error during the > xss audit plugin: > > ---------------------- > Traceback (most recent call last): > File "/home/christian/w3af/w3af/core/ui/gtkUi/main.py", line 588, in > startScanWrap > self.w3af.start() > File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line > 411, in start > self._realStart() > File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line > 520, in _realStart > self._audit() > File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line > 854, in _audit > plugin.end() > File "/home/christian/w3af/w3af/plugins/audit/xss.py", line 413, in end > msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue() > File "/home/christian/w3af/w3af/core/data/fuzzer/mutant.py", line > 85, in printModValue > return 'The sent '+ self.getMutantType() +' is: "' + self.getData() + '" .' > TypeError: cannot concatenate 'str' and 'form' objects > ----------------------------- > > The version details of w3af I'm using are: > > ----------------------------- > Starting w3af, running on: > Python version: > 2.5.2 (r252:60911, Oct 5 2008, 19:24:49) > [GCC 4.3.2] > GTK version: 2.14.4 > PyGTK version: 2.13.0 > > w3af - Web Application Attack and Audit Framework > Version: 1.1 (from SVN server) > Revision: 3021 > Author: Andres Riancho and the w3af team. > ------------------------------ Ahh, that was my fault. Thank you very much for reporting this bug! I just commited a fix [0]. In the URL you have the details on how I fixed the issue. [0] http://w3af.svn.sourceforge.net/w3af/?rev=3025&view=rev > I made a slight change in the w3af/plugins/audit/xss.py as commented > below (from line 411): > > ------------------------------ > msg = 'Permanent Cross Site Scripting was found at: ' + response.getURL() > msg += ' . Using method: ' + v.getMethod() + '. The XSS was sent to the' > #CF 28/08/09 - original line below - new line below that > #msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue() > msg += ' URL: ' + mutant.getURL() > ------------------------------ > > This seemed to resolve the problem but I don't think the above is > anything more than a bad hack. > > Unsure if the actual fault lied within w3af/core/data/fuzzer/mutant.py > getData() function. > > Awesome work Andres! Thank YOU very much for reporting the bug, Cheers, > Regards, > > Christian > > -- > Christian Frichot > e: xnt...@gmail.com > w: http://un-excogitate.org > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop