Ervis,
Taras has been busy these days and he won't be able to complete
the CSRF detection plugin for now, so I thought that you could help
out. So, the basic setup you need to have to work on this is:
* Download the latest code for the CSRF branch from the SVN: "svn co
https://w3af.svn.sourceforge.net/svnroot/w3af/branches/csrf/
w3af-csrf/"
* Download the latest test cases and store them in your local Apache
web root: "svn co
https://w3af.svn.sourceforge.net/svnroot/w3af/extras/testEnv/webroot/w3af/audit/xsrf/
xsrf-vulnerable"
* The code to review/fix is in "plugins/audit/xsrf.py" , take a look
at the thread for more info on what's wrong; but basically it is
detecting some of my test cases as vulnerable when in fact they are
NOT.
Let me know if you need any help, I'm working full-time on w3af this week :)
Regards,
On Mon, May 28, 2012 at 3:11 AM, Andres Riancho
<andres.rian...@gmail.com> wrote:
> Taras,
>
> Just because I'm a really bad person I just did this [0] and added 3
> more test cases to the CSRF section in moth. This three cases have
> random strings in the HTTP response bodies which could break some of
> the plugin's logic.
>
> Regards,
>
> [0] http://sourceforge.net/apps/trac/w3af/changeset/5027
>
> On Mon, May 28, 2012 at 12:34 AM, Taras <ox...@oxdef.info> wrote:
>> Andres,
>>
>> thanks for QA! I'll research why w3af here (audit/xsrf/) thought that it has
>> found CSRF :)
>>
>>
>> On 05/25/2012 09:21 PM, Andres Riancho wrote:
>>>
>>> Taras,
>>>
>>> Testing of the CSRF plugin gave the following results:
>>>
>>> - Did minor changes to the code
>>>
>>> - During a scan to moth I found these:
>>> [Fri 25 May 2012 08:46:27 PM MSK] Cross Site Request Forgery has been
>>> found at:
>>> http://192.168.153.136/w/mod_security/w3af/audit/xss/dataReceptor2.php.
>>> This vulnerability was found in the request with id 2013.
>>> [Fri 25 May 2012 08:46:27 PM MSK] Cross Site Request Forgery has been
>>> found at:
>>> http://192.168.153.136/w/mod_security/w3af/audit/xss/dataReceptor2.php.
>>> This vulnerability was found in the request with id 2016.
>>> [Fri 25 May 2012 08:46:27 PM MSK] Cross Site Request Forgery has been
>>> found at:
>>> http://192.168.153.136/w/mod_security/w3af/audit/xss/dataReceptor2.php.
>>> This vulnerability was found in the request with id 2019.
>>>
>>> Which seem to be duplicates?
>>>
>>> - None of the findings looked like false positives
>>>
>>> - Added a test case where we shouldn't find a CSRF vulnerability to
>>> moth [0] , scanned it and found CSRF vulnerabilities:
>>>
>>> [Fri 25 May 2012 09:19:23 PM MSK] Cross Site Request Forgery has been
>>> found at: http://192.168.153.136/w/w3af/audit/xsrf/buy.php. This
>>> vulnerability was found in the request with id 9.
>>> [Fri 25 May 2012 09:19:23 PM MSK] Cross Site Request Forgery has been
>>> found at: http://192.168.153.136/w/w3af/audit/xsrf/buy.php. This
>>> vulnerability was found in the request with id 17.
>>>
>>> Which is no good :(
>>>
>>> All right, enough work for today!
>>>
>>> [0] http://sourceforge.net/apps/trac/w3af/changeset/5021
>>>
>>> Regards,
>>>
>>> On Wed, Apr 25, 2012 at 7:40 PM, Andres Riancho
>>> <andres.rian...@gmail.com> wrote:
>>>>
>>>> Great job dude! I'll do some more QA and add unit-tests to it later
>>>>
>>>> On Wed, Apr 25, 2012 at 12:38 PM, Taras<ox...@oxdef.info> wrote:
>>>>>
>>>>> Done! Now in csrf branch only new CSRF plugin needs QA.
>>>>>
>>>>>
>>>>> On 04/24/2012 10:42 PM, Andres Riancho wrote:
>>>>>>
>>>>>>
>>>>>> Taras,
>>>>>>
>>>>>> Nice! Could you please merge it to the trunk?
>>>>>>
>>>>>> I'll write a nice unit-test for it tomorrow.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> On Tue, Apr 24, 2012 at 1:46 PM, Taras<ox...@oxdef.info> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Andres,
>>>>>>>
>>>>>>> done [0]!
>>>>>>>
>>>>>>> [0] https://sourceforge.net/apps/trac/w3af/changeset/4940
>>>>>>>
>>>>>>> --
>>>>>>> Taras
>>>>>>> http://oxdef.info
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Taras
>>>>> http://oxdef.info
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Project Leader at w3af - http://w3af.org/
>>>> Web Application Attack and Audit Framework
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Taras
>> http://oxdef.info
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
