Kevin,
First of all, sorry for the late response, I'm not at home and
can't check emails that often. Please read inline,
On Wed, Nov 11, 2009 at 2:21 PM, Kevin Denver <[email protected]> wrote:
>
> Hi Andres & List,
>
> I've been trying to use w3af together with a web application using the Apache
> wicket framework (see [1]).
aaaaaaaaaaah!, people don't get tired of creating new web programming
frameworks? aaaaaaaaaaaaaaaaaaaaaaah! ;)
> I've
> stumbled across two issues while scanning and fuzzying the application. First
> some examples...
>
> A simple form written with the wicket framework looks like this:
>
> GET http://localhost:8080/wicket-examples/echo/
> ...
> <form id="id1" method="post"
> action=";jsessionid=3FBF43507EFC333BB9476C1ACF786A89?wicket:interface=:0:form::IFormSubmitListener::">
> <div style="display:none"><input type="hidden" name="id1_hf_0" id="id1_hf_0"
> /></div>
> <input type="text" value="[type your message to the world here]" size="50"
> name="msgInput"/>
> <input type="submit" value="set message" />
> </form>
> ...
>
> The correct joined POST action URL would look like the following:
> "/wicket-examples/echo/?wicket:interface=:0:form::IFormSubmitListener::"
> Unfortunately w3af does not join the domain and the relative part correctly.
> w3af omits the last '/' before the
> question mark. I think I've managed to fix this issue with the following
> piece of code. I can commit this code to the svn if
> you agree.
hmm, what about the ";jsessionid=..." , is w3af handling that part well?
> Index: urlParser.py
> ===================================================================
> --- urlParser.py (revision 3176)
> +++ urlParser.py (working copy)
> @@ -233,6 +233,10 @@
> scheme, domain, path, params, qs, fragment = _uparse.urlparse(
> baseurl )
> # TODO add params?!
> response = scheme + '://' + domain + path + relative
> + elif relative.find('wicket:')> 0:
> + # Special case for the Apache Wicket framework
> + scheme, domain, path, params, qs, fragment = _uparse.urlparse(
> baseurl )
> + response = scheme + '://' + domain + path + relative
> else:
> response = _uparse.urljoin( baseurl, relative )
Is this a problem that we could find in other frameworks and not only
in wicket? If this is not a 100% particular thing of wicket, I think
that the fix should be generic. What do you think? Would a generic fix
be better?
> The other issue I've found is harder to fix. As you can see the form contains
> a hidden field "id1_hf_0" which is empty.
> w3af tries to fuzz this parameter which is usually okay but the wicket
> framework throws an internal server error if this
> hidden field contains any kind of data. That means that no wicket formular is
> properly accepted by the server.
> My idea was to add an option to w3af which allows a user to specify a list of
> parameters which will be ignored by the plugins.
> Does this feature already exist? Or is someone else already implementing
> this? If not I might find some time to implement this.
No, this feature is not present, and I think it is something useful.
Mostly for parameters that should be IGNORED during fuzzing, for
example .net EVENTVALIDATION and such.
Cheers,
> Cheers,
> Kevin
>
>
> [1] http://wicket.apache.org/
>
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
> e-mail you.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
