I'll definitely take a look at the parameter pollution plugin, sounds
interesting and I haven't heard of that issue before.
I did look at the existing wordpress plugins and wasn't sure this would fit
into any of them. On second thought, it could probably be an extension to
wordpress_fingerprint since it is just fingerprinting themes and checking
for some vulnerabilities.
Thanks for pointing out the ria_enumerator plugin, I hadn't even noticed
it, it covers exactly the same issue I had written my plugin for. I had
kind of thought that the scope for the crossdomain.xml checking plugin I
had written was a little too narrow anyways.
On Wed, May 2, 2012 at 9:52 AM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Stephen,
>
> Please read inline,
>
> On Tue, May 1, 2012 at 6:16 PM, Stephen Breen <breen.mach...@gmail.com>
> wrote:
> > Hi, I've recently started using the w3af scanner and love it!
>
> Always good to hear that :)
>
> > I'd like to
> > contribute some code to the project and am wondering how to go about
> this?
>
> A week ago or so I sent an email to the w3af-users and
> w3af-develop mailing list asking for contributors for writing an HTTP
> Parameter Pollution plugin:
>
> http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00911.html
>
> Maybe you want to start with that? I offer all my guidance with it :)
>
> > I've written 2 new discovery plugins; one is a wordpress theme auditor.
> Many
> > wordpress vulnerabilities are theme specific, this plugin finds the
> running
> > theme on a blog, attempts to find installed but not running themes by
> > enumerating popular theme names from a list and for any themes found,
> runs
> > tests to see if they are vulnerable to common vulnerabilities. Right now
> I
> > have all of the Woo themes in the theme list and it checks for a new
> > vulnerability that is common to all of them (WooThemes shortcode
> > vulnerability). It is very easy to extend to new themes and
> vulnerabilities
> > and I plan on adding more.
>
> That sounds great! Have you read our existing wordpress plugins?
> Ctrl+F wordpress here [0] and you might find some interesting stuff.
> In the meanwhile, why don't you send your code to this mailing list so
> we can all review it? I would recommend opening a new thread with
> subject "Wordpress vulnerability detection - WooThemes" or something
> similar.
>
> [0] https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery
>
> > The second is another discovery plugin that looks for misconfigured adobe
> > crossdomain.xml files. Details on this problem can be found here
> >
> http://jeremiahgrossman.blogspot.ca/2008/05/crossdomainxml-invites-cross-site.html
>
> In this case, please take a look at [1] since we already have
> something in place but it might require an update / review on the
> techniques used.
>
> [1]
> https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery/ria_enumerator.py
>
> > Thanks!
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > W3af-develop mailing list
> > W3af-develop@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
