Taras,
On Mon, Nov 22, 2010 at 11:58 AM, Taras <[email protected]> wrote:
> Hi, Andres!
>
> Do you remeber why we remove Content-Length from headers in
> createFuzzableRequestRaw for
> POST requests:
> core/data/request/frFactory.py
> ...
> def createFuzzableRequestRaw(method, url, postData, headers):
> if not postData:
> qsr = httpQsRequest.httpQsRequest()
> qsr.setURL(url)
> qsr.setMethod(method)
> qsr.setHeaders(headers)
> dc = urlParser.getQueryString(url)
> qsr.setDc(dc)
> return qsr
> pdr = httpPostDataRequest.httpPostDataRequest()
> pdr.setURL(url)
> pdr.setMethod(method)
> for header_name in headers.keys():
> if header_name.lower() == 'content-length':
> del headers[header_name]
> ^^^
> pdr.setHeaders(headers)
> ...
>
> It is really bad because some web servers ignore POST requests without this
> header.
I'm not reading the code right now, but I'm guessing that we're
doing this because we're not trusting the content-length header value
provided by the user. I don't think that our requests are getting to
the server without a content-length, what might be happening is that
we're changing the header value to reflect what the user really put in
the post data.
> --
> Taras
> http://oxdef.info
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
