Taras, On Mon, Nov 22, 2010 at 11:58 AM, Taras <ox...@oxdef.info> wrote: > Hi, Andres! > > Do you remeber why we remove Content-Length from headers in > createFuzzableRequestRaw for > POST requests: > core/data/request/frFactory.py > ... > def createFuzzableRequestRaw(method, url, postData, headers): > if not postData: > qsr = httpQsRequest.httpQsRequest() > qsr.setURL(url) > qsr.setMethod(method) > qsr.setHeaders(headers) > dc = urlParser.getQueryString(url) > qsr.setDc(dc) > return qsr > pdr = httpPostDataRequest.httpPostDataRequest() > pdr.setURL(url) > pdr.setMethod(method) > for header_name in headers.keys(): > if header_name.lower() == 'content-length': > del headers[header_name] > ^^^ > pdr.setHeaders(headers) > ... > > It is really bad because some web servers ignore POST requests without this > header.
I'm not reading the code right now, but I'm guessing that we're doing this because we're not trusting the content-length header value provided by the user. I don't think that our requests are getting to the server without a content-length, what might be happening is that we're changing the header value to reflect what the user really put in the post data. > -- > Taras > http://oxdef.info > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop