Taras,
On Sat, Jun 9, 2012 at 9:39 AM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
> in my branch I have added analyzeResponseBody user configurable
> parameter into globalRedirect plugin [0]. My point is that usually check
> for 301/302 redirect is enough to detect globalredirect and we don't
> really need to analyze with regex response body for meta-tags and
> JavaScript (regex is always slow gear). But for **backward
> compatibility** default value for this option is **True**. So from
> default behavior of w3af here will remain the same. Merge with the trunk?
It seems that I'm always against your ideas, but I just need to
understand things and that's why I always ask: "Why?" Have you noticed
that this particular regular expression / plugin was slow? Is this a
performance improvement or is there something else that we need to
know? If its just because of the performance improvement, I would
recommend changing from the regular expression that matches the
scripts:
self._scriptre = re.compile('< *script.*?>(.*)< */ *script *>',
re.IGNORECASE | re.DOTALL )
To response.getDOM() and then applying some XPATH to the dom
object in order to find/retrieve the script text. Another way would be
to rewrite the regular expression (maybe add a ? after the "< *" in
order to speed it up a little bit.
My point is that if the problem is performance, we better fix it
instead of disabling the part that brings us problems. Also, users
disabling this would miss some vulnerabilities without knowing why
(unless they read the code).
Regards,
> [0]
> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/oxdef/plugins/audit/globalRedirect.py?revision=5083&view=markup
> --
> Taras
> http://oxdef.info
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
