Guys,
Anybody has time to code a new audit plugin, that will find
session fixation vulnerabilities?
Basically the plugin needs to:
- Read if there is a current cookie parameter names (PHPSESSID=... ; FOOBAR=...)
- Append the cookie parameter to the URL:
* /the/url/?id=1&PHPSESSID=w3af-session-fixation
* /the/url/?id=1&FOOBAR=w3af-session-fixation
- Analyze the response of each request, and see if there is a
set-cookie header in the response with the w3af-session-fixation
string.
I could do it, but I would rather delegate this task, as it is
simple, and someone that is starting to develop in w3af can learn a
lot by giving it a try.
Thanks!
Cheers,
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
