Hi,
I wrote my master's thesis on penetration testing tools/vulnerability
scanners and I noticed some problems with w3af (version 1.0-rc5) that
cause false positives and false negatives. Unfortunately, I don't have
the time nor the Python skills required to fix these myself, or I would
have sent a patch.
- only one input is used at a time, while in some cases (e.g. password
and repeat password) it is required that both fields contain the same
value, because only one input is used w3af will miss an SQL injection if
the password is inserted into the database unvalidated
- some sites place the content of headers like Referrer and User-agent
on a page, this behavior is vulnerable to XSS that is not detected by w3af
- when the content of an input is used in a link (e.g. <a
href="index.php?page=<script>alert('XSS');</script>...) or as value in a
text field (e.g. <input type="text"
value="<script>alert('XSS');</script>...) this is detected as an XSS
vulnerability while it is in fact harmless, it should be checked where
the content of the input is and if it is parsed by the browser
- related to the above suggestion, if the input is preceded by "> any
HTML-tag the input may be present in will be closed, "ensuring" the text
does not appear in a tag and is thus parsed by the browser (it should
still be checked if the text is in a tag, because if the web application
escapes or removes quotes, or replaces them by HTML entities this does
not work).
- textareas are not used by w3af, only textfields (<input type="text")
- when an HTTP POST is sent to a page, the name/value pair of the submit
button is not sent in this POST, only the other inputs; some pages check
if a form is sent by checking if the name of the submit button is
present in the HTTP POST
Regards,
Frank van der Loo
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
