Re: [W3af-develop] Session fixation plugin - Contributor wanted =)

Thu, 24 Dec 2009 08:24:24 -0800 

Martin,

    Were you able to code something? If you need some help, please let me know.

Cheers,

On Mon, Nov 23, 2009 at 6:39 PM, Martin Tartarelli
<martin.tartare...@gmail.com> wrote:
> Andres,
>
> 2009/11/23 Andres Riancho <andres.rian...@gmail.com>:
>> Guys,
>>
>>    Anybody has time to code a new audit plugin, that will find
>> session fixation vulnerabilities?
>
> I have 2 Saturdays....will this be enough? =)
>
>>
>>    Basically the plugin needs to:
>>
>> - Read if there is a current cookie parameter names (PHPSESSID=... ; 
>> FOOBAR=...)
>>
>> - Append the cookie parameter to the URL:
>>    * /the/url/?id=1&PHPSESSID=w3af-session-fixation
>>    * /the/url/?id=1&FOOBAR=w3af-session-fixation
>>
>> - Analyze the response of each request, and see if there is a
>> set-cookie header in the response with the w3af-session-fixation
>> string.
>>
>>    I could do it, but I would rather delegate this task, as it is
>> simple, and someone that is starting to develop in w3af can learn a
>> lot by giving it a try.
>>
>
> If possible... I will try to develop this plugin
>
>>    Thanks!
>>
>> Cheers,
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
> --
> Martin Tartarelli
> Linux User #476492
> http://owasp.org/index.php/Argentina
> --
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to