Christian,
Please see inline,
On Fri, Aug 28, 2009 at 4:44 AM, Christian Frichot<xnt...@gmail.com> wrote:
> Hi Andres and Co,
>
> Been playing with w3af today and had the following error during the
> xss audit plugin:
>
> ----------------------
> Traceback (most recent call last):
> File "/home/christian/w3af/w3af/core/ui/gtkUi/main.py", line 588, in
> startScanWrap
> self.w3af.start()
> File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
> 411, in start
> self._realStart()
> File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
> 520, in _realStart
> self._audit()
> File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
> 854, in _audit
> plugin.end()
> File "/home/christian/w3af/w3af/plugins/audit/xss.py", line 413, in end
> msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue()
> File "/home/christian/w3af/w3af/core/data/fuzzer/mutant.py", line
> 85, in printModValue
> return 'The sent '+ self.getMutantType() +' is: "' + self.getData() + '" .'
> TypeError: cannot concatenate 'str' and 'form' objects
> -----------------------------
>
> The version details of w3af I'm using are:
>
> -----------------------------
> Starting w3af, running on:
> Python version:
> 2.5.2 (r252:60911, Oct 5 2008, 19:24:49)
> [GCC 4.3.2]
> GTK version: 2.14.4
> PyGTK version: 2.13.0
>
> w3af - Web Application Attack and Audit Framework
> Version: 1.1 (from SVN server)
> Revision: 3021
> Author: Andres Riancho and the w3af team.
> ------------------------------
Ahh, that was my fault. Thank you very much for reporting this bug! I
just commited a fix [0]. In the URL you have the details on how I
fixed the issue.
[0] http://w3af.svn.sourceforge.net/w3af/?rev=3025&view=rev
> I made a slight change in the w3af/plugins/audit/xss.py as commented
> below (from line 411):
>
> ------------------------------
> msg = 'Permanent Cross Site Scripting was found at: ' + response.getURL()
> msg += ' . Using method: ' + v.getMethod() + '. The XSS was sent to the'
> #CF 28/08/09 - original line below - new line below that
> #msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue()
> msg += ' URL: ' + mutant.getURL()
> ------------------------------
>
> This seemed to resolve the problem but I don't think the above is
> anything more than a bad hack.
>
> Unsure if the actual fault lied within w3af/core/data/fuzzer/mutant.py
> getData() function.
>
> Awesome work Andres!
Thank YOU very much for reporting the bug,
Cheers,
> Regards,
>
> Christian
>
> --
> Christian Frichot
> e: xnt...@gmail.com
> w: http://un-excogitate.org
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
