Hey developers Im currently writing a fuzzer plugin that mutates parameter names.
e.g. http://example.com/index.php?id=5 can be mutated to http://example.com/index.php?id[]=5 The variable id is then interpreted as an array inside PHP, which could cause errors. :) For example if somone has a script like this: <?php //if $_GET['id'] is an array this means (string)$_GET['id'] is "Array" //and obviously there is no "<" in "Array"... //strpos returns false if '<' is not in $_GET['id'] if(strpos($_GET['id'],"<") === false) someLibraryEchoBack($_GET['id']); else echo "< is not allowed"; function someLibraryEchoBack($value){ if(is_array($value)){ foreach($value as $key => $string) echo $string; } else echo $value; } ?> For example http://example.com/index.php?id=<h2>A</h2> returns response: < is not allowed But http://example.com/index.php?id[]=<h2>A</h2> returns response (XSS): <h2>A</h2> I had a look at the createMutants function. I added an additional createAdvancedMutants function which is able to mutate names. Additionally it is able to replace/prepend/append/inject mutant strings. I attached the core.data.fuzzer.fuzzer. What do you think? If you think this feature is useless, I'll just integrate it into the fuzzer plugin. Every feedback is very appreciated. cheers floyd
fuzzer.py
Description: Binary data
------------------------------------------------------------------------------
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
