Floyd, Please read inline,
On Tue, Nov 10, 2009 at 10:44 AM, Floyd Fuh <fu.her...@yahoo.de> wrote: > > Dear w3af developers > > Please read inline > > On Tue, Oct 20, 2009, Andres Riancho <andres.rian...@gmail.com> wrote: > >>Floyd, > >> > >>On Tue, Oct 20, 2009 at 11:29 AM, Floyd Fuh <fu.her...@yahoo.de>> wrote: > >>>> > >>>> Dear w3af developers > >>>> > >>>> - Is there a plugin where I can just specify a list of strings, which is > >>>> used for every found parameter (GET, POST)? > >>>> Example: Crawler finds http://www.example.com/index.html?id=5 and > >>>>fuzzes the id parameter with values of the list > >> > >>You should use the fuzzy request editor tool, which you can find in > >>the GUI menu. > > We're doing automated tests with w3af_console. Then you should write a new plugin, that reads the payloads from a file. It should be trivial. On the other side... how do you plan on detecting which payloads triggered a vuln? If the answer is manually, then that's fine, if the answer is "automatically" then I think that you also need to provide the plugin with a text file with the regular expressions that match when an error is found. > >> > >>>> - Is there a plugin that analyzes HTML code (like input length fields) > >>>> and then generates injection strings out of it? > >>>> Example: There is a <input name="name" type="text" maxlength="30">> > >>>>tag and w3af tries to inject strings with lengths 29, 30 and 31 > >> > >>For now, the max length parameter is totally ignored. > >> > > I'm planning to write a Fuzzer plugin, which has a configurable option how > many tests should be > done (exhaustiveness) on a scale from 0 to 100, chooses and mutates injection > data in various ways > by combining, repeating, deleting, reordering and encoding of different data. > It should be able to > analyze HTML tags as well. I'll start soon and it's part of my job. No, this shouldn't be done as a plugin. This should be done in the core! I think that you should search for the place where the different fuzzable requests are created now (see tmb, all, tb in misc settings) and then work from there. I think that the tmb/t/b/all implementation is great, but it should be moved to somewhere else; I think that the best place would be the createMutants. @Taras: What do you think? Would this be possible? I think that the parsers should generate one fuzzable request, and the createMutants function should be the one that would create the different mutants based on the configuration. > >>>> - Is there a mechanism that measures the response delay for the > >>>> different requests? > >> > >>hmmm, there is something, but I think it is not working, because on > >>every request it says 0.2sec.Take a look at xUrllib, just search for > >>time.time() or something like that, and you'll find what you need. > >> > > The xUrllib is fine, I wrote a new grep plugin to show it (see attachment > responseTime.py). Then I realized that it's exactly > what core.data.url.timeAnalysis does. I wanted to modified timeAnalysis.py, > but it's never called in xUrllib. Why? I think the hole > time.time() in xUrllib and timeAnalysis.py is the same and therefore > redundant... The timeAnalysis feature is not used because it generated A LOT of false positives. It was impossible to make it work... right now the time.time() in xUrllib is there just to be able to show the response time in the GUI (HTTP Log/History tab). > Anyway it is really hard to say when a info should be shown to the tester > (even with all the statistical stuff). Maybe we could include it > in the GUI as well and show the response times in the log graph (with new > scale and other color on the right)? I don't think it is thaaaat important, we should just fix it and show it in the HTTP Log. > Ok, back to the error (0.2sec for every response): The handlers are wrong > (logHandler, mangleHandler, etc.). > In logHandler.py line 144 to 146 says: > > if isinstance(response, httpResponse.httpResponse): > res = response > else: > > The else clause then produces the error and the time measure is set to the > default value 0.2sec (which is wrong...). > It took me quite long to figure out what else could it be than an instance of > core.data.url.httpResponse and I think it > would be better to set up an own file for the HTTPResponse class in > core.data.url.handlers.keepalive, but here is the > quick and dirty fix: > > $ diff ./not_fixed/core/data/url/handlers/logHandler.py > ./fixed/core/data/url/handlers/logHandler.py > 151c151,152 > < res = httpResponse.httpResponse( code, body, hdrs, url, url, > msg=msg, id=id) > --- > > time = response.getWaitTime() > > res = httpResponse.httpResponse( code, body, hdrs, url, url, > >msg=msg, id=id, time=time) > > > $ diff ./not_fixed_svn_co/core/data/url/handlers/keepalive.py > ./fixed/core/data/url/handlers/keepalive.py > 20,25d19 > < # This file was modified (considerably) to be integrated with w3af. Some > modifications are: > < # - Added the size limit for responses > < # - Raising w3afExceptions in some places > < # - Modified the HTTPResponse object in order to be able to perform > multiple reads, and > < # added a hack for the HEAD method. > < > 116a111 > > import time > 163a159 > > self._time=-42 > 222a219,224 > > > > def getWaitTime(self): > > return self._time > > > > def setWaitTime(self, time=-42): > > self._time = time > 420c422 > < > --- > > > 445a448 > > start_time = time.time() > 446a450 > > r.setWaitTime(time.time() - start_time) > 475a480 > > start_time = time.time() > 476a482 > > r.setWaitTime(time.time() - start_time) > > I simply surrounded all getresponse() calls with some time measuring. Is this > correct? Yes, I think so. Does it work? ;) What about removing the time.time() from xUrlllib isn't that needed? Could you please send me the patches for this as files? > What is the difference between xUrllib.py and keepalive.py ? keepalive keeps the TCP connection alive, xUrllib is a wrapper that gives users a clean interface to the HTTP requests and responses. > Btw I'm sitting right next to Kevin Denver in the office, he already > contributed to w3af. hi Kevin! :) It is nice to know that you're working together with him. Cheers, > bye > floyd > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
