Taras,
On Wed, Nov 11, 2009 at 12:02 AM, Taras <ta...@securityaudit.ru> wrote:
> Hi, all!
>
> Please read in line.
>> > >>
>> > >>>> - Is there a plugin that analyzes HTML code (like input length
>> > >>>> fields) and then generates injection strings out of it?
>> > >>>> Example: There is a <input name="name" type="text"
>> > >>>> maxlength="30">> tag and w3af tries to inject strings with lengths
>> > >>>> 29, 30 and 31
>> > >>
>> > >>For now, the max length parameter is totally ignored.
>> > >>
>> >
>> > I'm planning to write a Fuzzer plugin, which has a configurable option how
>> > many tests should be
>> > done (exhaustiveness) on a scale from 0 to 100, chooses and mutates
>> > injection data in various ways
>> > by combining, repeating, deleting, reordering and encoding of different
>> > data. It should be able to
>> > analyze HTML tags as well. I'll start soon and it's part of my job.
>>
>> No, this shouldn't be done as a plugin. This should be done in the
>> core! I think that you should search for the place where the different
>> fuzzable requests are created now (see tmb, all, tb in misc settings)
>> and then work from there. I think that the tmb/t/b/all implementation
>> is great, but it should be moved to somewhere else; I think that the
>> best place would be the createMutants.
>>
>> @Taras: What do you think?
>
> First of all I think that I don't really understand what more complex
> HTML analysis we need in W3AF and needing to take attention in such
> things (which are controlled on client side) like HTML tag attribute
> maxlength. Floyd could you please describe a bit more it?
>
>> Would this be possible? I think that the
>> parsers should generate one fuzzable request, and the createMutants
>> function should be the one that would create the different mutants
>> based on the configuration.
>
> It's very interesting question! And there is no such thing as
> impossible :)
good answer ;)
> But what is wrong (in design context) in current state? That form has
> variants? Or that these variants are generated in
> createFuzzableRequests()?
My idea is that the parser should return a python form object that
looks like this:
<form:
inputs: [ <textinput maxlength=10 value=None name="a"> ,
<textinput maxlength=None value=None name="b"> ,
<select options=['1', '2', '3'] name="s"> ]
action: "/submit_form.php"
>
So, when the createMutants() gets this object, it will return the
following (depending on the t/tmb/tb configuration):
[
<mutant url:"/submit_form.php" payload:"a=AAAAAAAAA&b=&s=1">
<mutant url:"/submit_form.php" payload:"a=AAAAAAAAA&b=&s=2">
<mutant url:"/submit_form.php" payload:"a=AAAAAAAAA&b=&s=3">
<mutant url:"/submit_form.php" payload:"a=&b=AAAAAAAAA&s=1">
<mutant url:"/submit_form.php" payload:"a=&b=AAAAAAAAA&s=2">
<mutant url:"/submit_form.php" payload:"a=&b=AAAAAAAAA&s=3">
<mutant url:"/submit_form.php" payload:"a=&b=&s=AAAAAAAAA">
]
Right now we aren't doing it like that... right now the parser returns
forms that look like this:
[
<form:
inputs: [ <textinput value=None name="a"> , <textinput value=None
name="b"> ,
<select value='1' name="s"> ]
action: "/submit_form.php"
>
<form:
inputs: [ <textinput value=None name="a"> , <textinput value=None
name="b"> ,
<select value='2' name="s"> ]
action: "/submit_form.php"
>
<form:
inputs: [ <textinput value=None name="a"> , <textinput value=None
name="b"> ,
<select value='3' name="s"> ]
action: "/submit_form.php"
>
]
Which at the end creates the same mutants... but is a little less "nice" ;)
Do you understand my point?
Cheers,
>
> --
> Taras - OSCP, OSWP
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
