Hans, On Mon, Dec 5, 2011 at 4:25 AM, Hans-Martin Münch <hansmartin.mue...@googlemail.com> wrote: > Aaah, sorry didn't have a look at it. > > Well it solves most of the issues. The basic problem is that the XML > definition > of "character" doesn't include stuff like "\0". > > See: http://www.w3.org/TR/2006/REC-xml11-20060816/#NT-RestrictedChar > > The basic/common solution as far as I know is to encode the data in base64 > if this happens. > > I think replacing "\0" solves 98% of the cases without bothering the user, > but there might some scenarios where this is not the case. > For example if you have a script that returns an image and is > vulnerable to SQL injection. If the returned image contains a byte sequence > which is interpreted as invalid character the XML validation will fail.
Understood, so what you're saying is that we should use the RE you have in your code instead of the replacement of the \0 character? > Martin > > > 2011/12/4 Andres Riancho <andres.rian...@gmail.com> >> >> Hans, >> >> On Sun, Dec 4, 2011 at 11:29 AM, Hans-Martin Münch >> <hansmartin.mue...@googlemail.com> wrote: >> > Dear Andres >> > >> > I finally found the solution for this issue. The problem with the >> > characters >> > was, that they are not allowed in the XML standard, therefore CDATA >> > won't >> > do it. Instead I created a version that encodes the request/response as >> > base64 >> > if one of the forbidden characters is in place. The base64 encoding can >> > be >> > checked with the attribute "base64" (see attached file). >> > >> > Unfortunately I was not able to test this 100% as I don't have a >> > suitable >> > test case >> > in my environment. Can you send me a link to a test app/environment >> > where >> > this problem came up? >> >> I'm not sure , but I think that Javier Andalia fixed this issue a >> while ago by adding the "escape_nulls" function to the xmlFile plugin. >> That's NOT a complete solution because it's actually modifying the >> data before storing it, but at least it gives a human the possibility >> of reading the XML with a text / XML reader. If we would use base64 >> (which was an option we analyzed when fixing this) it would be >> necessary for the user to use a special / third party software to read >> the response. >> >> What do you think? What's better, the replacement of the \0 by >> NULL; or the base64? >> >> Regards, >> >> > Kind regards >> > >> > Martin >> > >> > >> > >> > >> > 2011/7/12 Andres Riancho <andres.rian...@gmail.com> >> >> >> >> What about CDATA in XML? >> >> >> >> On Tue, Jul 12, 2011 at 12:34 PM, Hans-Martin Münch >> >> <hansmartin.mue...@googlemail.com> wrote: >> >> > Hmmm, it looks like firefox and others has a problem with NULL bytes >> >> > (%00) >> >> > used in local >> >> > file inclusion attacks. :-( >> >> > >> >> > The question is where this should be fixed? in the dump() function of >> >> > the >> >> > request/response object >> >> > (as this functions should return a string representation of the >> >> > object) >> >> > Regards >> >> > HansMartin >> >> > 2011/7/12 Hans-Martin Münch <hansmartin.mue...@googlemail.com> >> >> >> >> >> >> I will to this ASAP >> >> >> >> >> >> 2011/7/12 Andres Riancho <andres.rian...@gmail.com> >> >> >>> >> >> >>> Hans, >> >> >>> >> >> >>> Please see attached file. This was generated by running the >> >> >>> following command: >> >> >>> >> >> >>> ./w3af_console -s scripts/script-xml_output.w3af >> >> >>> >> >> >>> You need to have a running instance of the moth vm for this >> >> >>> command to work and generate what I'm sending you; but the issue is >> >> >>> that the XML seems to be "broken". You can open the XML with vi , >> >> >>> joe, >> >> >>> etc. (any console editor) BUT if you try to open it with something >> >> >>> that really UNDERSTANDS XML (firefox output-w3af.xml) it will tell >> >> >>> you: >> >> >>> >> >> >>> XML Parsing Error: not well-formed >> >> >>> Location: file:///home/dz0/w3af/trunk/output-w3af.xml >> >> >>> Line Number 330, Column >> >> >>> >> >> >>> 66:<br>../../../../../../../../../../../../../../../etc/passwd >> >> >>> >> >> >>> Could you please look into that? >> >> >>> >> >> >>> Regards, >> >> >>> >> >> >>> On Tue, Jul 12, 2011 at 11:51 AM, Andres Riancho >> >> >>> <andres.rian...@gmail.com> wrote: >> >> >>> > Hans, >> >> >>> > >> >> >>> > Sorry for the late response! I just reviewed the latest patch >> >> >>> > you >> >> >>> > sent, and it looks very good. The only thing that I modified in >> >> >>> > both >> >> >>> > the xsd and py file was the indentation: you used tabs (and >> >> >>> > 3-space >> >> >>> > in >> >> >>> > some sections?) for indenting code, and we prefer 4-spaces. >> >> >>> > Congrats >> >> >>> > on your first w3af contrib! :) >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > http://sourceforge.net/apps/trac/w3af/changeset/4351/trunk/plugins >> >> >>> > >> >> >>> > Regards, >> >> >>> > >> >> >>> > On Sun, Jul 3, 2011 at 10:10 AM, Hans-Martin Münch >> >> >>> > <hansmartin.mue...@googlemail.com> wrote: >> >> >>> >> Hi Andres >> >> >>> >> >> >> >>> >> As promised, you can find the update for the XMLReport plugin >> >> >>> >> attached >> >> >>> >> to >> >> >>> >> this mail. >> >> >>> >> >> >> >>> >> I tested it as good as I can, but I have to admit that I didn't >> >> >>> >> have a >> >> >>> >> test >> >> >>> >> scenario >> >> >>> >> where I had more than one request/response. >> >> >>> >> >> >> >>> >> I also updated the report.xsd file to reflect the changes. >> >> >>> >> Please >> >> >>> >> have >> >> >>> >> a >> >> >>> >> look. >> >> >>> >> Please let me know if you have any >> >> >>> >> suggestions/corrections/comments. >> >> >>> >> >> >> >>> >> Kind regards and keep up your really impressive work >> >> >>> >> >> >> >>> >> >> >> >>> >> Martin (HansMartin is the complete first name) >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > -- >> >> >>> > Andrés Riancho >> >> >>> > Director of Web Security at Rapid7 LLC >> >> >>> > Founder at Bonsai Information Security >> >> >>> > Project Leader at w3af >> >> >>> > >> >> >>> >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> Andrés Riancho >> >> >>> Director of Web Security at Rapid7 LLC >> >> >>> Founder at Bonsai Information Security >> >> >>> Project Leader at w3af >> >> >> >> >> > >> >> > >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Director of Web Security at Rapid7 LLC >> >> Founder at Bonsai Information Security >> >> Project Leader at w3af >> > >> > >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af > > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
