Hello Andres & List, Please read inline.
---------------------------------------- > From: andres.rian...@gmail.com > Date: Sun, 15 Nov 2009 10:34:34 +0200 > Subject: Re: [W3af-develop] w3af and the Apache wicket framework > To: muff...@hotmail.com > CC: w3af-develop@lists.sourceforge.net > > Kevin, > > First of all, sorry for the late response, I'm not at home and > can't check emails that often. Please read inline, > > On Wed, Nov 11, 2009 at 2:21 PM, Kevin Denver wrote: >> >> Hi Andres & List, >> >> I've been trying to use w3af together with a web application using the >> Apache wicket framework (see [1]). > > aaaaaaaaaaah!, people don't get tired of creating new web programming > frameworks? aaaaaaaaaaaaaaaaaaaaaaah! ;) > >> I've >> stumbled across two issues while scanning and fuzzying the application. >> First some examples... >> >> A simple form written with the wicket framework looks like this: >> >> GET http://localhost:8080/wicket-examples/echo/ >> ... >> >> <form id="id1" method="post" >> action=";jsessionid=3FBF43507EFC333BB9476C1ACF786A89?wicket:interface=:0:form::IFormSubmitListener::"> >> <div style="display:none"><input type="hidden" name="id1_hf_0" id="id1_hf_0" >> /></div> >> <input type="text" value="[type your message to the world here]" size="50" >> name="msgInput"/> >> <input type="submit" value="set message" /> >> </form> >> ... >> >> The correct joined POST action URL would look like the following: >> "/wicket-examples/echo/?wicket:interface=:0:form::IFormSubmitListener::" >> Unfortunately w3af does not join the domain and the relative part correctly. >> w3af omits the last '/' before the >> question mark. I think I've managed to fix this issue with the following >> piece of code. I can commit this code to the svn if >> you agree. > > hmm, what about the ";jsessionid=..." , is w3af handling that part well? I completely overlooked this one :) You're right. The correct joined URL would look like the following: "/wicket-examples/echo/jsessionid=3FBF43507EFC333BB9476C1ACF786A89?wicket:interface=:0:form::IFormSubmitListener::". w3af currently omits the last '/' as stated above AND adds the jsessionid at the end instead after the "/echo/" part. > >> Index: urlParser.py >> =================================================================== >> --- urlParser.py (revision 3176) >> +++ urlParser.py (working copy) >> @@ -233,6 +233,10 @@ >> scheme, domain, path, params, qs, fragment = _uparse.urlparse( >> baseurl ) >> # TODO add params?! >> response = scheme + '://' + domain + path + relative >> + elif relative.find('wicket:')> 0: >> + # Special case for the Apache Wicket framework >> + scheme, domain, path, params, qs, fragment = _uparse.urlparse( >> baseurl ) >> + response = scheme + '://' + domain + path + relative >> else: >> response = _uparse.urljoin( baseurl, relative ) > > Is this a problem that we could find in other frameworks and not only > in wicket? If this is not a 100% particular thing of wicket, I think > that the fix should be generic. What do you think? Would a generic fix > be better? I would have to do more debugging but a generic fix is certainly the way to go. > >> The other issue I've found is harder to fix. As you can see the form >> contains a hidden field "id1_hf_0" which is empty. >> w3af tries to fuzz this parameter which is usually okay but the wicket >> framework throws an internal server error if this >> hidden field contains any kind of data. That means that no wicket formular >> is properly accepted by the server. >> My idea was to add an option to w3af which allows a user to specify a list >> of parameters which will be ignored by the plugins. >> Does this feature already exist? Or is someone else already implementing >> this? If not I might find some time to implement this. > > No, this feature is not present, and I think it is something useful. > Mostly for parameters that should be IGNORED during fuzzing, for > example .net EVENTVALIDATION and such. > Okey cool, I look what I can do. Cheers, Kevin > Cheers, > >> Cheers, >> Kevin >> >> >> [1] http://wicket.apache.org/ >> >> _________________________________________________________________ >> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they >> e-mail you. >> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ _________________________________________________________________ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop