Hi, Andres and all!Why do we check params type? Do you think it is possible that there will be such different URLs like:
http://site.ru/news.php?id=1 and http://site.ru/news.php?id=foo ?
I have seen your code in w3afCore.py. May be it will be better to add some option for it in misc-settings?
It is interesting idea, but how do you think it is possible that we will meet some vuln link in URL http://site.ru/news.php?id=1000 and not in URL http://site.ru/news.php?id=1? Do you know some real life examples?The problem that we could find here is that maybe... "?id=3855" has a link to a part of the application that is vulnerable, and we're not following that link because of our "101th decision".And in some point of view it is correct behavior. But very often these params are not "action" params which can make really different pages with different structure. Simply these pages differs in some text content.Yes, totally agree. I think that maybe these URLs should be compared based on their "structure" (outgoing links). If the contents of all the URLs with id=1 to id=100 link to (a,b,c) ; then we could safely (???) infer that id=101 to id=N are also going to link to (a,b,c) and that we're not missing anything important.
BTW, in Xcobra I used such method to compare targets:
def __hash__(self):
"""Hash magic method."""
params = self.params.keys()
params.sort()
url_hash = self.scheme + self.netloc + self.path \
+ "".join(params)
return hash(url_hash)
BTW2, In Acunetix same option of crawler looks like:
" Maximum number of variations - This option will specify the maximum
number of variations for a file. E.g. index.asp has a GET parameter
ID of which the crawler discovered 10 possible values of it from links
requesting index.asp with the ID set to a different value while
crawling. Each link is a variation. Each variation will appear under the
file in the Scan Tree during crawling.
" -- Taras -- "Software is like sex: it's better when it's free.", - Linus Torvalds.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
