Taras,

On Mon, Nov 22, 2010 at 11:58 AM, Taras <ox...@oxdef.info> wrote:
> Hi, Andres!
>
> Do you remeber why we remove Content-Length from headers in 
> createFuzzableRequestRaw for
> POST requests:
> core/data/request/frFactory.py
> ...
> def createFuzzableRequestRaw(method, url, postData, headers):
>    if not postData:
>        qsr = httpQsRequest.httpQsRequest()
>        qsr.setURL(url)
>        qsr.setMethod(method)
>        qsr.setHeaders(headers)
>        dc = urlParser.getQueryString(url)
>        qsr.setDc(dc)
>        return qsr
>    pdr = httpPostDataRequest.httpPostDataRequest()
>    pdr.setURL(url)
>    pdr.setMethod(method)
>    for header_name in headers.keys():
>        if header_name.lower() == 'content-length':
>            del headers[header_name]
>            ^^^
>    pdr.setHeaders(headers)
> ...
>
> It is really bad because some web servers ignore POST requests without this 
> header.

    I'm not reading the code right now, but I'm guessing that we're
doing this because we're not trusting the content-length header value
provided by the user. I don't think that our requests are getting to
the server without a content-length, what might be happening is that
we're changing the header value to reflect what the user really put in
the post data.

> --
> Taras
> http://oxdef.info
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to