Hans,
On Fri, Feb 4, 2011 at 11:13 AM, Hans-Martin Münch
<[email protected]> wrote:
> Hi
> I'm currently playing a bit with w3af and WackoPicko
One more test web application! w0w, I'll have to install all of
those and give them a try with w3af and NeXpose. TODO_list_size += 1
> and used the spiderMan
> plugin to identify
> all pages. Reviewing the results of the discovery phase, I noticed that w3af
> didn't have all input fields in the
> list of fuzzable requests. Especially the values of the POST requests have
> not been parsed correctly.
Hmmm, strange.
> Example:
> POST request to passcheck.php (a page with a know command injection
> vulnerability) with the "password input field"
> resulted in a empty POST request.
> Here is the list of the fuzzable requests from w3af:
> The list of fuzzable requests is:
> - http://192.168.16.128 | Method: GET
> - http://192.168.16.128/passcheck.php | Method: POST
That sucks.
> - http://192.168.16.128/pictures/search.php | Method: GET | Parameters:
> (query="")
> Finished scanning process.
>
> I tried to localize the cause of the problem and I think I found it inside
> the "createFuzzableRequestRaw"Method in the file frFactory.py.
> This method doesn't set the data container of the fuzzableRequest if the
> request correctly)
Are you sure? I think its set here:
try:
dc = urlParser.getQueryString( 'http://w3af/?' + postData )
pdr.setDc( dc )
except:
om.out.debug('Failed to create a data container that can store
this data: "' + postData + '".')
else:
return pdr
> Anyone noticed the same problem?
I've seen similar things in the past, but we've fixed most of
them. Are you using the latest w3af version from the SVN server?
> WackoPicko (the vulnerable app I used during the test) can be found here:
> https://github.com/adamdoupe/WackoPicko
> Please let me know if you have any questions!
I have a couple, please read above. Thanks for the potential bug
report and the information :)
> Kind regards
> Hans-Martin
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world?
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
