Andres,
Your suggestion will work alright as long as there is no
word with two different meanings. Means if
there is no word which means something in one language
and something completely different in another language.
And I think that won't happen very often.
I have a suggestion for the new smartFill method. It will use
the longest one and if they are both the same length, it will use
the one that is first inside the string.. So if we have "password" as field name
we prefer the db name "pass" instead of "word".
variable_name = variable_name.lower()
handlers = [ (long_alpha, (createRandAlpha, 7)),
(short_alpha, (createRandAlpha, 3)),
(long_number, (createRandNum, 5)),
(short_number, (createRandNum, 2)),
(date, (createRandNum, 1)),
(password, (lambda x: 'w3af-FrAmEW0rK.', None)),
(mail, (lambda x: 'w...@email.com', None)),
(state, (lambda x: 'AK', None)) ]
value = None
used_name_from_db = None
for name_function, (custom_generator, length) in handlers:
for name_in_db in name_function():
if variable_name.count( name_in_db ) or name_in_db.count(
variable_name ): #new db name in variable
if value == None or len(name_in_db) > len(used_name_from_db):
#new db name longer
#use it
used_name_from_db = name_in_db
value = custom_generator( length )
elif len(name_in_db) == len(used_name_from_db): #new db same
length as old db name
#When we have abcdefg we prefer bcd instead of def
used_index = max(variable_name.find(used_name_from_db),
used_name_from_db.find(variable_name)) # One of both is -1
new_index = max(variable_name.find(name_in_db),
name_in_db.find(variable_name)) # One of both is -1
if new_index < used_index:
used_name_from_db = name_in_db
value = custom_generator( length )
if value == None:
# Well... nothing was found (this is bad!)
# Its better to send numbers when nothing matches.
value = createRandNum( 4 )
else:
dbg = 'SmartFilling parameter ' + variable_name + ' of form because
matching with '
dbg += used_name_from_db +' value: ' + value
om.out.debug( dbg )
return value
cheers
floyd
PS: Andres, I'm still answering your other mail :)
________________________________
Von: Andres Riancho <andres.rian...@gmail.com>
An: Floyd Fuh <floyd_...@yahoo.de>
CC: w3af-develop@lists.sourceforge.net
Gesendet: Montag, den 21. Dezember 2009, 13:09:13 Uhr
Betreff: Re: [W3af-develop] FormFiller
Floyd,
On Mon, Dec 21, 2009 at 9:04 AM, Floyd Fuh <floyd_...@yahoo.de> wrote:
> Hi Andres and list
>
>>> This time I have to disagree. I think that this is not an
>>> improvement, as we might find pages with text in German but parameter
>>> names in English; and the user would (with the best intentions) set
>>> the language to German and then the formFiller would fill the form in
>>> a wrong way.
> That's right, that's why i suggest that English should always be on and
> that's what the help info says on the side of the button.
>
> If you want we can disable the possibility to disable English.
>
>>> Another issue that I see is that maybe in a big application we
>>> have pages developed by different persons, one of them likes
>>> parameters in english and the other in german.
>
> That's correct. Then it should be set to German and English.
>
> The problem I see, is if we add a lot more languages, the form filler
> won't work anymore.
>
> An example:
>
> The word "address" in polish is "adres". Of course this field should be
> filled with an address, let's say "londonstreet 10".
> But in german, the recipient of something is called "adressat". So this
> field should be filled with a name, like "Andres".
>
> But if we add polish first, the formFiller will fill in a field named
> "addressat"
> with an address (because he found the polish "adres"), instead of
> a name.
>
> I'm sure there are better examples, but I hope you see what I mean.
>
> What do you think?
So... lets change the algorithm a little bit to something like this:
match = ''
for word in word_list:
for parameter in parameter_list:
if word in parameter and len(word) > len(match):
match = word
What do you think? With something like this we would be matching to
the longest match, thus the problems you mention would dissapear,
right?
Cheers,
> cheers
> floyd
>
>
> ________________________________
> Von: Andres Riancho <andres.rian...@gmail.com>
> An: Floyd Fuh <floyd_...@yahoo.de>
> CC: w3af-develop@lists.sourceforge.net
> Gesendet: Montag, den 21. Dezember 2009, 12:29:25 Uhr
> Betreff: Re: [W3af-develop] FormFiller
>
> Floyd,
>
> On Mon, Dec 21, 2009 at 5:26 AM, Floyd Fuh <floyd_...@yahoo.de> wrote:
>> Hi list
>>
>> I think I improved it again ;)
>>
>> I added a Language tab in configuration/miscellaneous, where you can
>> specify the language of the web application which is tested. This way the
>> form
>> filler will only look for the words in the given language(s). I added
>> German
>> and more languages should be added (we have english, german, spanish,
>> portuguese).
>
> This time I have to disagree. I think that this is not an
> improvement, as we might find pages with text in German but parameter
> names in English; and the user would (with the best intentions) set
> the language to German and then the formFiller would fill the form in
> a wrong way.
>
> Another issue that I see is that maybe in a big application we
> have pages developed by different persons, one of them likes
> parameters in english and the other in german.
>
> But your contribution was not useless! I added the parameter names
> in German to the SVN version of the formFiller. Thank you very much
> for your continious contributions! =)
>
> PS: Please read the private email I sent you the other day
>
>> ATM the language option is only used for the form filler, but maybe it
>> could
>> be used
>> somewhere else as well?
>>
>> See the attached files core.data.fuzzer.formFiller and
>> core.controllers.miscSettings
>>
>> cheers
>> floyd
>>
>>
>> ________________________________
>> Von: Andres Riancho <andres.rian...@gmail.com>
>> An: Floyd Fuh <floyd_...@yahoo.de>
>> CC: w3af-develop@lists.sourceforge.net
>> Gesendet: Donnerstag, den 17. Dezember 2009, 17:10:23 Uhr
>> Betreff: Re: [W3af-develop] FormFiller
>>
>> Floyd,
>>
>> On Thu, Dec 17, 2009 at 12:18 PM, Floyd Fuh <floyd_...@yahoo.de> wrote:
>>> Hi list
>>>
>>> I had a look at the core.data.fuzzer.formFiller. Wouldn't it be better if
>>> a password field is always filled with the same value (for example
>>> w3af-FrAmEW0rK.)?
>>> Because sometimes you have to fill in the same password twice (for
>>> example
>>> in a register
>>> form). I did it for my local version and it works fine.
>>
>> Thats a great idea! =)
>> I love these small modifications that make the framework a little
>> bit smarter =) If you have more of these, please let me know.
>>
>>> I attached the modified file
>>
>> I reviewed your code, and commited it without any modifications.
>> Thank you very much =)
>>
>>> cheers
>>> floyd
>>>
>>> __________________________________________________
>>> Do You Yahoo!?
>>> Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz
>>> gegen Massenmails.
>>> http://mail..yahoo.com
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution fast and
>>> easy
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and
>> easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf..net/sfu/verizon-dev2dev
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz
>> gegen Massenmails.
>> http://mail.yahoo.com
>>
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and
>> easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf.net/sfu/verizon-dev2dev
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
> __________________________________________________
> Do You Yahoo!?
> Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz
> gegen Massenmails.
> http://mail.yahoo.com
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
__________________________________________________
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen
Massenmails.
http://mail.yahoo.com ------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
