Taras,
On Tue, Nov 15, 2011 at 10:25 AM, Taras <ox...@oxdef.info> wrote:
> Hi, all!
>
> Andres, when I have suggested this feature in w3af I didn't mean *full* REST
> specification support.
>
> Today a lot of web applications (especially based on frameworks like Django
> or in the old way by Apache mod_rewrite module) uses REST-like URLs e.g.:
>
> http://example.com/foo/bar/123
>
> In this URL we (not scanner) can see such parts as:
>
> * foo - controller name
> * bar - action name
> * 123 - parameter value
>
> From classic web spider point of view it looks like directory hierarchy - it
> is incorrect behavior! All these parts we need to fuzz!
Agreed, so we don't want to support REST, we want to support
mod_rewrite. Would that appreciation be correct?
> What I suggest to implement is rules for such URLs. It can be done as
> http-settings
> file option called "url-rules" (name is not important):
>
> /top/users/%s/view/%d/
> /controller/action/%d/
> ...
>
> %s and %d are special tokens which can be used by w3af to determine fuzz
> points.
I like the idea, but I would do it in a more configurable way.
Right now we have the "fuzzFileName" setting in w3af, which
enabled/disables what I explained in the initial email. In the future
I would like to see the following options:
* fuzzFileName (default: False)
* fuzzDirectories (default: False)
* url-rules (default: no filename with rules)
With this, when a user wants to fuzz all the "directories" in all
URLs he just enables "fuzzDirectories" and "fuzzFileName". If he wants
to have more control over which parts of the URL are actually fuzzed,
he can disable the previous ones and set the url-rules himself.
For the rules file, what I recommend is that we support parsing of
mod_rewrite and django rules (if possible) so that a developer can
simply copy/paste those rules into a file and point w3af into it.
In your example you put something like %s and %d. Do we care if
it's a string or a digit? Should the scanner change it's behavior
based on that?
Regards,
>
>> This email is just a conversation starter for defining how we're
>> going to deal with REST urls.
>>
>> REST, as described in [0], has two important moving parts:
>> 1- URLs that "look nice" (no parameters: /people/1/phones/23 )
>> 2- Heavy usage of HTTP methods like GET, POST, DELETE, PUT.
>>
>> The first question that I would ask myself is... do we want to
>> support 1 and 2? Only 1? What is really needed by our users?
>>
>> If we only want to implement #1, it should be easy enough, since
>> we already have something similar (see: mutantFileName.py). This
>> mutant, together with the fuzzer.py (more specifically
>> _createFileNameMutants) will behave like this:
>>
>> - Original URL: http://host.tld/foo/spam-eggs.jsp
>> - Input strings: [ '<script>alert(1)</script>', 'ping localhost']
>> - Output URLs:
>> * http://host.tld/foo/<script>alert(1)</script>-eggs.jsp
>> * http://host.tld/foo/spam-<script>alert(1)</script>.jsp
>> * http://host.tld/foo/ping%20localhost-eggs.jsp
>> * http://host.tld/foo/spam-ping%20localhost.jsp
>>
>> As you can see, it will split the filename using any character
>> that's not a letter and put the strings into those positions. If we
>> change this from just the filename into the whole path, it should work
>> and inject into each URL section.
>>
>> Please note that the current implementation only performs file
>> name fuzzing if misc-settings fuzzFileName is enabled (which is off by
>> default). Should we also think about this and potentially modify this
>> to true?
>>
>> Regarding #2 , I don't see a reason for it not to work with
>> w3af... but I could be mistaken. We should perform some tests to check
>> if w3af parses and correctly sends requests associated with forms that
>> use PUT, DELETE, etc. The meta-question here is... do we want w3af to
>> send requests that will "DELETE" stuff?
>>
>> Ok... that's enough for a conversation starter :) What do you guys
>> think?
>>
>> [0] http://microformats.org/wiki/rest/urls
>>
>> Regards,
>
>
> --
> Taras
> http://oxdef.info
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
