Hans,
That's perfect man! The only improvement that I would suggest is based
on the fact that (as you may already know) there can be more than one
request/response associated with a vulnerability, so instead of:
details = self._history.read(i.getId()[0])
<store details to XML>
You should have something like:
for request_id in i.getId():
details = self._history.read( request_id )
<store details to XML>
Also, the XSD file should be updated. Do you think you could do that? Thanks!
Regards,
On Fri, Jul 1, 2011 at 2:25 PM, Hans-Martin Münch
<[email protected]> wrote:
> Hi
>
> I did the "request/response" thing just yesterday night. Please see the
> attached file (needs some additional testing, and I'm definitely no python
> pro ;-) )
>
> Regards
>
> Hans-Martin
>
> 2011/7/1 Adrien de Beaupre <[email protected]>
>>
>> Hi,
>>
>> I would like to suggest the following enhancements to the XML output
>> report.
>>
>> 1- In the w3afrun element add an attribute with the current w3af
>> version as follows:
>> <w3afrun start="1302267277" startstr="Fri Apr 08 08:54:37 2011"
>> xmloutputversion="1.00" version" 1.1 (from SVN server)" build"r4349">
>>
>> 2 - In the vulnerability element add the HTTP request and response for
>> each discovered issue as follows:
>> <vulnerability id="[15006]" method="POST" name="SQL injection
>> vulnerability" plugin="sqli" severity="High"
>> url="http://crackme.cenzic.com/Kelev/view/updateloanrequest.php";
>> var="txtAnnualIncome">
>> SQL injection in a MySQL database was found at: ,
>>
>> "http://crackme.cenzic.com/Kelev/view/updateloanrequest.php"using
>> HTTP method POST. The sent post-data was:
>> "...txtAnnualIncome=d'z"0...". This vulnerability was
>> found in the request with id 15006.
>> <httprequest>...
>> </httprequest>
>> <httpresponse>...
>> </httpresponse>
>> </vulnerability>
>>
>> Cheers,
>> Adrien
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> W3af-develop mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
