Taras,

    And what do you see on the wire? You might try to setup burp suite as a
transparent proxy listening on localhost:8888 and forwarding to your real
target; and then set w3af to localhost:8888.

Regards,
--
Andres Riancho

El nov 25, 2010 6:06 a.m., "Taras" <ox...@oxdef.info> escribió:

Andres,

> > Do you remeber why we remove Content-Length from headers in
createFuzzableRequestRaw f...
Hm, my tests on *fresh* trunk version shows that the bug there is :(
Steps to reproduce:
1. Create simple page with form (method=POST)
2. Run w3af on it with xss plugin enabled

Current result:
in output-http.txt we see

-------------------------------------
...
POST http://localhost/test.php HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;
w3af.sf.net)
Host: localhost
Content-type: application/x-www-form-urlencoded

somefield=ryras
========================================Response 15 - Thu Nov 25 11:54:46
2010=======================================
HTTP/1.1 200 OK^M
Content-Length: 552^M
X-Powered-By: PHP/5.3.3-1ubuntu9.1^M
Vary: Accept-Encoding^M
...
-------------------------------------

If we grep sources we can find additing this header constructions in these
files:
data/url/xUrllib.py:                if h.lower() == 'content-length':
data/url/xUrllib.py:                headers[ 'content-length' ] =
str(len(postdata))
data/url/xUrllib.py:            if i.lower() == 'content-length':
data/url/xUrllib.py:            msg = 'The response didn\'t contain a
content-length header. Unable to return the'
data/url/handlers/logHandler.py:            if 'Content-length' in
req.headers:
data/url/handlers/logHandler.py:
 req.headers.pop('Content-length')
data/url/handlers/keepalive.py:                if not
req.has_header('Content-length'):
data/url/handlers/keepalive.py:
 conn.putheader('Content-length', '%d' % len(data))

--
Taras
http://oxdef.info
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to