Dear w3af developers
Please read inline
On Tue, Oct 20, 2009, Andres Riancho <andres.rian...@gmail.com> wrote:
>>Floyd,
>>
>>On Tue, Oct 20, 2009 at 11:29 AM, Floyd Fuh <fu.her...@yahoo.de>> wrote:
>>>>
>>>> Dear w3af developers
>>>>
>>>> - Is there a plugin where I can just specify a list of strings, which is
>>>> used for every found parameter (GET, POST)?
>>>> Example: Crawler finds http://www.example.com/index.html?id=5 and
>>>>fuzzes the id parameter with values of the list
>>
>>You should use the fuzzy request editor tool, which you can find in
>>the GUI menu.
We're doing automated tests with w3af_console.
>>
>>>> - Is there a plugin that analyzes HTML code (like input length fields) and
>>>> then generates injection strings out of it?
>>>> Example: There is a <input name="name" type="text" maxlength="30">> tag
>>>>and w3af tries to inject strings with lengths 29, 30 and 31
>>
>>For now, the max length parameter is totally ignored.
>>
I'm planning to write a Fuzzer plugin, which has a configurable option how many
tests should be
done (exhaustiveness) on a scale from 0 to 100, chooses and mutates injection
data in various ways
by combining, repeating, deleting, reordering and encoding of different data.
It should be able to
analyze HTML tags as well. I'll start soon and it's part of my job.
>>>> - Is there a mechanism that measures the response delay for the different
>>>> requests?
>>
>>hmmm, there is something, but I think it is not working, because on
>>every request it says 0.2sec.Take a look at xUrllib, just search for
>>time.time() or something like that, and you'll find what you need.
>>
The xUrllib is fine, I wrote a new grep plugin to show it (see attachment
responseTime.py). Then I realized that it's exactly
what core.data.url.timeAnalysis does. I wanted to modified timeAnalysis.py, but
it's never called in xUrllib. Why? I think the hole
time.time() in xUrllib and timeAnalysis.py is the same and therefore
redundant...
Anyway it is really hard to say when a info should be shown to the tester (even
with all the statistical stuff). Maybe we could include it
in the GUI as well and show the response times in the log graph (with new scale
and other color on the right)?
Ok, back to the error (0.2sec for every response): The handlers are wrong
(logHandler, mangleHandler, etc.).
In logHandler.py line 144 to 146 says:
if isinstance(response, httpResponse.httpResponse):
res = response
else:
The else clause then produces the error and the time measure is set to the
default value 0.2sec (which is wrong...).
It took me quite long to figure out what else could it be than an instance of
core.data.url.httpResponse and I think it
would be better to set up an own file for the HTTPResponse class in
core.data.url.handlers.keepalive, but here is the
quick and dirty fix:
$ diff ./not_fixed/core/data/url/handlers/logHandler.py
./fixed/core/data/url/handlers/logHandler.py
151c151,152
< res = httpResponse.httpResponse( code, body, hdrs, url, url,
msg=msg, id=id)
---
> time = response.getWaitTime()
> res = httpResponse.httpResponse( code, body, hdrs, url, url,
>msg=msg, id=id, time=time)
$ diff ./not_fixed_svn_co/core/data/url/handlers/keepalive.py
./fixed/core/data/url/handlers/keepalive.py
20,25d19
< # This file was modified (considerably) to be integrated with w3af. Some
modifications are:
< # - Added the size limit for responses
< # - Raising w3afExceptions in some places
< # - Modified the HTTPResponse object in order to be able to perform
multiple reads, and
< # added a hack for the HEAD method.
<
116a111
> import time
163a159
> self._time=-42
222a219,224
>
> def getWaitTime(self):
> return self._time
>
> def setWaitTime(self, time=-42):
> self._time = time
420c422
<
---
>
445a448
> start_time = time.time()
446a450
> r.setWaitTime(time.time() - start_time)
475a480
> start_time = time.time()
476a482
> r.setWaitTime(time.time() - start_time)
I simply surrounded all getresponse() calls with some time measuring. Is this
correct?
What is the difference between xUrllib.py and keepalive.py ?
Btw I'm sitting right next to Kevin Denver in the office, he already
contributed to w3af.
bye
floyd
'''
blankBody.py
Copyright 2006 Andres Riancho
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin
import core.data.kb.knowledgeBase as kb
import core.data.kb.info as info
import core.controllers.outputManager as om
CONFIG_ERROR_MSG = 'responseTime plugin has to be correctly configured to use.'
CONFIG_ERROR_MSG += ' Please set renewFiguresAfter, trainingsRequests and \
infoStandardDeviationFactor correctly.'
class responseTime(baseGrepPlugin):
'''
Measure response time of all responses and calculates
figures like min, max, average, min deviation, max deviation and standard deviation.
Creates an info if the response took longer than the average response time plus
the infoStandardDeviationFactor multiplied with the average standard deviation.
@author: Tobias Ospelt
'''
def __init__(self, renewFiguresAfter=10, trainingsRequests=50, \
infoStandardDeviationFactor=2.00):
self.renewFiguresAfter=renewFiguresAfter
self.trainingsRequests=trainingsRequests
self.infoStandardDeviationFactor=infoStandardDeviationFactor
self.history={}
##Nice figures, but we don't really need them
#self.max=0.0
#self.min=1000.0
#self.maxDeviation=0.0
self.average=0.0
self.standardDeviation=0.0
def addResponseTime(self, responseNumber=-1, responseTime=-1):
self.history[responseNumber] = responseTime
##Calculate the average out of the old average and the one new value
self.average=(self.average*(len(self.history)-1)+ \
responseTime)/len(self.history)
##Again, nice figures, but we don't really need them
#if(responseTime<self.min):
# self.min=responseTime
#if(responseTime>self.max):
# self.max=responseTime
#if(abs(responseTime-self.average) > self.maxDeviation):
# self.maxDeviation=abs(responseTime-self.average)
if(len(self.history) % self.renewFiguresAfter == 0):
deviationSum=0
for value in self.history.itervalues():
deviationSum+=abs(value-self.average)
self.standardDeviation=deviationSum/len(self.history)
om.out.debug(
'responseTime: ' + str(responseTime) + ' s' + \
#', min: ' + str(self.min) + ' s' + \
#', max: ' + str(self.max) + ' s' + \
', average: ' + str(self.average) + ' s' + \
', standard deviation: ' + str(self.standardDeviation)+' s'
#', maxDeviation: ' + str(self.maxDeviation) + ' s'
)
def grep(self, request, response):
'''
Plugin entry point
@return: None
'''
time = response.getWaitTime()
self.addResponseTime(response.id, time)
if time>self.average and \
len(self.history) > self.trainingsRequests and \
(time-self.average) >= self.infoStandardDeviationFactor*self.standardDeviation :
i = info.info()
i.setName('Maximum response time')
i.setURL( response.getURL() )
i.setId( response.id )
msg = 'The request '+ str(response.id) + ' had to wait '
msg += 'about '+ str(time) + ' s before a response came. '
msg += 'The average is only '+str(self.average)
msg += ' s with standard deviation '+str(self.standardDeviation)
msg += ' s. This could indicate an error. '
i.setDesc(msg)
kb.kb.append( self, 'responseTime', i )
def setOptions( self, optionsMap ):
self.renewFiguresAfter = optionsMap['renewFiguresAfter'].getValue()
self.trainingsRequests = optionsMap['trainingsRequests'].getValue()
self.infoStandardDeviationFactor = \
optionsMap['infoStandardDeviationFactor'].getValue()
if self.renewFiguresAfter < 1 or self.trainingsRequests < 1 or \
self.infoStandardDeviationFactor < 0.01 :
om.out.error(CONFIG_ERROR_MSG)
if self.renewFiguresAfter > self.trainingsRequests :
om.out.error(CONFIG_ERROR_MSG + ' RenewFiguresAfter can not be \
greater than trainingsRequests.')
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
d1 = 'Because of performance reasons, standard deviation is not \
calculated every'
d1 += 'new request. The standard deviation will be calculated after this \
amount of requests.'
o1 = option('renewFiguresAfter', self.renewFiguresAfter, d1, 'integer')
d2 = 'The first requests will be used as training data and will not be'
d2 += 'reported. The plugin starts testing after this amount of requests.'
o2 = option('trainingsRequests', self.trainingsRequests, d2, 'integer')
d3 = 'One of the criteria to create an info is when the standard '
d3 += 'deviation multiplied by this factor is bigger then the deviation \
of the response'
o3 = option('infoStandardDeviationFactor', \
self.infoStandardDeviationFactor, d3, 'float')
ol = optionList()
ol.add(o1)
ol.add(o2)
ol.add(o3)
return ol
def end(self):
'''
This method is called when the plugin wont be used anymore.
'''
pass
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be \
runned before the current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
Measure response time of all responses and calculates
figures like min, max, average, max deviation and standard deviation.
Creates an info if the response took longer than the average response time plus
the infoStandardDeviationFactor multiplied with the average standard deviation.
'''
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
