Hi Taras, I'm not sure if Floyd purpose was this, but it is useful to play around the client side contraints, as they can provide a very good insight of what the developers implemented on the server side too. Both contraints, client and server, should be the same, but sometimes they are out of sync and entry points (vulnerabilities) can be easily identified playing around those limits (eg. 29,30,31 for a maxlenght of 30).
Cheers, -- Raul Siles www.raulsiles.com On Wed, Nov 11, 2009 at 11:16 AM, Taras <ta...@securityaudit.ru> wrote: > Floyd, > >>>>First of all I think that I don't really understand what more complex >>>>HTML analysis we need in W3AF and needing to take attention in such >>>>things (which are controlled on client side) like HTML tag attribute >>>>maxlength. Floyd could you please describe a bit more it? >> >> I think it is important that a web application framework extracts as many >> information from the webpage under test >> as possible. If we know things as maxlength (and there are much more >> interesting "tags"), we know what >> better what the programmer was thinking when she wrote the HTML code. >> >> For example when a field has length 12 I would try to inject strings with >> length 12, 13 and e.g. 15 and compare the responses. > > But we already don't pay attention to this attribute :) > Purpose of client side data validation is only for more convenient using > of app > (e.g. AJAX data validation without reload of page). > But if we talk about security validation such HTML attributes as maxlength > are useless. > So response of webapp (server side) should not depend on HTML tag attribute. > >> Sorry I haven't read enough core code to answer that. > Ups, sorry :) I forgot to address these questions to Andres. > > -- > Taras > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
