+w3af-dev Hi and thanks for interesting idea!
Andres, what do you think? Can we add appending payload to value *optionally*? The main problem, imho, is we in this case we need this opportunity to all audit plugins. Not only XSS. P.S. Achim, nice User-Agent ;) 10.03.2012 02:36, Achim Hoffmann пишет: > Hi Andrés, Taras, > > found a case where w3af failed to detect any XSS payload, even the > application is vulnerable to (all) most. > The reason seems to be that w3af replaces the value in a key=value > parameter completely. But the application is only vulnerable if the > value contains at least something useful. > > Example original parameter: > key=value > > w3af then builds payloads like: > key=d'kc"z'gj'"**5*(((;-*`) > key=d'z"0 > key=<!-- > > none of them triggerd XSS, it should be at least: > key=valued'kc"z'gj'"**5*(((;-*`) > key=valued'z"0 > key=value<!-- > > In my test case even above would not detect XSS 'cause i.e.: > key=value'><u>xss > key=value"><u>xss > key=value"onmouseover=alert(5); > > is not tested. > > This issue is interrresting 'cause we discussed it in the mailinglist > Subject: [W3af-develop] XSS ideas > (see for example my mail on 16 feb 2012) > > > IIRC the reason why w3af does not use more payloads is to reduce the > amount of requests. > I guess my examples prove that this approach results in false negatives. > > > Hope this helps to improve w3af. > Achim -- Taras http://oxdef.info ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
