> All software has vulnerabilities, it's in their nature :)
Right.
> Don't really. As soon as the byte string enters w3af, the best
> thing to do is to decode it using the best encoding available (the one
> in Content-Encoding header, or some other we might have in the HTTP
> response) and after that all the rest of w3af's code simply forgets
> about encodings and uses the unicode string.
Cool.
> Vulnerable to what?
A forced crash. I can't see any validation of the incoming data. E.g.:
Is resp.code really an integer > 100 < 900.
> We're not assuming that, if the response is not HTTP then httplib,
> or urllib, or urllib2 (don't really know which one) will fail and
> raise an exception.
That's my point. I would like to be sure about that. Because, for example, if
there will be additional c++ based code in w3af one day, and there are chances
to bypass filters or to cause exceptions, a python exception could turn into a
really dangerous exploitable flaw in PyQt4 or Cython referenced code really
quickly.
> Could you explain me a little bit more about this? I tried to
> google for ChunkOfUnidentified or ChunkOfUnidentifiedData and found
> nothing.
http://docs.python.org/release/3.0.1/whatsnew/3.0.html#text-vs-data-instead-of-unicode-vs-8-bit
Regards,
Daniel
Am 16.02.2012 um 14:26 schrieb Andres Riancho:
> Daniel,
>
> On Thu, Feb 16, 2012 at 10:07 AM, Daniel Zulla
> <daniel.zu...@googlemail.com> wrote:
>> I have analyzed some closed source vulnerability scanners, and audited open
>> source scanners like skipfish.
>> Some of them are ironically vulnerable. Somebody may create an apache2
>> module that recognizes attacks in order to force penetration testers'
>> software to crash (or worse, e.g. to execute arbitrary code).
>
> All software has vulnerabilities, it's in their nature :)
>
>> errors=ignore or errors=replace may be a nice way to go, but - here are my
>> two cents:
>> Treating HTTP Responses as an UnidentifiedChunkOfPossiblyMaliciousData" as
>> long as possible is definitely the right way to go.
>
> Don't really. As soon as the byte string enters w3af, the best
> thing to do is to decode it using the best encoding available (the one
> in Content-Encoding header, or some other we might have in the HTTP
> response) and after that all the rest of w3af's code simply forgets
> about encodings and uses the unicode string.
>
>> I haven't audited or reviewed the httplib, but the "from_httplib_resp"
>> method, looks extremely vulnerable:
>
> Vulnerable to what?
>
>> resp = httplibresp
>> code, msg, hdrs, body = (resp.code, resp.msg, resp.info(), resp.read())
>>
>> if original_url:
>> url_inst = url_object(resp.geturl(), original_url.encoding)
>> else:
>> url_inst = original_url = url_object(resp.geturl())
>>
>> charset = getattr(httplibresp, 'encoding', None)
>> return httpResponse(code, body, hdrs, url_inst,
>> original_url, msg, charset=charset)
>>
>> I am just skeptical about assuming that the response of a webserver is valid
>> HTTP.
>
> We're not assuming that, if the response is not HTTP then httplib,
> or urllib, or urllib2 (don't really know which one) will fail and
> raise an exception.
>
>> That's why i mentioned py3k - it's exactly how Python3 handles external data:
>> Everything is a ChunkOfUnidentified data until it gets converted to a
>> string. If it's a string, it's Unicode and everthing is fine. If not,
>> everthing breaks immediately.
>
> Could you explain me a little bit more about this? I tried to
> google for ChunkOfUnidentified or ChunkOfUnidentifiedData and found
> nothing.
>
>>
>> Regards,
>> Daniel
>>
>> Am 16.02.2012 um 13:33 schrieb Andres Riancho:
>>
>>> sends a string of bytes back to you in the HTTP response.
>>>
>>>> Do you have some code / a example where those exceptions usually appear in
>>>> the current w3af code?
>>>>
>>>> Regards,
>>>> Daniel
>>>>
>>>> Am 15.02.2012 um 22:06 schrieb Javier Andalia:
>>>>
>>>>> Hello Daniel,
>>>>>
>>>>> On Wed, Feb 15, 2012 at 5:11 PM, Daniel Zulla
>>>>> <daniel.zu...@googlemail.com> wrote:
>>>>>> What about switching over to Python3?
>>>>>> It solves the UnicodeDecodeException madness.
>>>>>
>>>>> Can you please be more specific? What exactly do you have in mind?
>>>>>
>>>>> Maybe I'm wrong, but the way I see it w3af would still
>>>>> receive/transmit encoded bytes so there's no way to skip the
>>>>> bytestring_to_unicode and unicode_to_bytestring conversions. Not even
>>>>> in py3k.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Javier
>>>>
>>>>
>>>
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
