Andres,
>> For the second, tests have shown that our xss strings in audit plugin is not
>> always enough to find XSS. For example, I have such .htaccess:
>>
>> Options -MultiViews
>> RewriteEngine on
>> RewriteBase /
>> RewriteRule ^article/([^\/]+)$ news.php?id=$1 [L]
>>
>> and vuln piece of code:
>>
>> <body>
>> <h1>News for<?php echo $id ?></h1>
>> <p>
>>
>> In this case XSS was not found because of '&' character. So I have just
>> added very simple test string:
>>
>> xss_tests.append(("<RANDOMIZE>\"'", [browsers.ALL, ]))
>
> Instead of doing this, have you tried to URL encode the payload
> (and specifically the&) before using it as part of a path?
Hmmm, '&' is already encoded in request (see mutantUrlParts.py)
May be it is because how PHP processing of it? In our xss_tests I see
one problem - each of them consists of too many special chars which can
be filtered and make different output in response. To exploit XSS
usually it is enough to have <>()= plus " or ' character. What I worry
about is with such complex strings we can miss existing flaw.
> I would keep the same name, no need to add a new "fuzzedUrlParts"
> string. I would simply keep using fuzzURLParts so that when someone
> performs a code grep they can easily find all related parts
> 647 if cf.cf.getData('fuzzURLParts'):
> 648 _fuzzable['fuzzedUrlParts'] = None
Fixed.
>
> In the future please try to use "moth" as your target test server so
> that we can easily merge those changes into our servers without
> changing the scripts or web apps
> 18 target
> 19 set target http://news/article/1
> 20 back
Ok, I forget about it :( Fixed test script and added PHP files to
testEnv/webroot/w3af/core/fuzzURLParts/
> All in all... as usual... GREAT work! Lets discuss these two or three
> open items we have left from this email and I'll merge to trunk.
>
> [0] http://sourceforge.net/apps/trac/w3af/changeset/4526 ,
> http://sourceforge.net/apps/trac/w3af/changeset/4536 ,
> http://sourceforge.net/apps/trac/w3af/changeset/4537 ,
> http://sourceforge.net/apps/trac/w3af/changeset/4567
>
>> --
>> Taras
>> http://oxdef.info
>>
>> ------------------------------------------------------------------------------
>> Systems Optimization Self Assessment
>> Improve efficiency and utilization of IT resources. Drive out cost and
>> improve service delivery. Take 5 minutes to use this Systems Optimization
>> Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/
>> _______________________________________________
>> W3af-develop mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
>
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
Cloud Computing - Latest Buzzword or a Glimpse of the Future?
This paper surveys cloud computing today: What are the benefits?
Why are businesses embracing it? What are its payoffs and pitfalls?
http://www.accelacomm.com/jaw/sdnl/114/51425149/
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
