Taras,
On Sun, Jun 10, 2012 at 12:51 PM, Taras <ox...@oxdef.info> wrote:
> Andres, please read in-line.
>
>
>>> in my branch I have added analyzeResponseBody user configurable
>>> parameter into globalRedirect plugin [0]. My point is that usually check
>>> for 301/302 redirect is enough to detect globalredirect and we don't
>>> really need to analyze with regex response body for meta-tags and
>>> JavaScript (regex is always slow gear). But for **backward
>>> compatibility** default value for this option is **True**. So from
>>> default behavior of w3af here will remain the same. Merge with the trunk?
>>
>>
>> It seems that I'm always against your ideas,
>
> You have also noticed it!:)
:) Don't get mad at me, I'm very critical of everything; which creates
some enemies along the path but also helps the ones that can take the
criticism be better in their technical work; or make me better by
telling me I was wrong!
>
>> but I just need to understand things and that's why I always ask: "Why?"
>> Have you noticed that this particular regular expression / plugin was
>> slow?
>
> In one of my tests I saw in console output that this plugin takes too much
> time to work. So I decided that it is because of regex. I could be mistaken.
Without looking too much into it, I would say that this plugin has two
sources of CPU usage:
* dp = dpCache.dpc.getDocumentParserFor( response )
* res = self._scriptre.search( response.getBody() )
The document parsing (in my experience) will take more time than the re.search
Either way, your proposal removed both of those ;)
>
>> Is this a performance improvement or is there something else that we need
>> to
>> know? If its just because of the performance improvement, I would
>> recommend changing from the regular expression that matches the
>> scripts:
>>
>> self._scriptre = re.compile('< *script.*?>(.*)< */ *script *>',
>> re.IGNORECASE | re.DOTALL )
>>
>> To response.getDOM() and then applying some XPATH to the dom
>> object in order to find/retrieve the script text. Another way would be
>> to rewrite the regular expression (maybe add a ? after the "< *" in
>> order to speed it up a little bit.
>
>
> HTTP 30x response and meta-tags are **standard and stable things**
Agreed,
> that w3af can use and take information from it easily.
Mostly agree, but take into account that in order to extract the meta
redirs you need to parse the document and that takes CPU time (see
above comment)
> In same time with
> parsing of JavaScript with regex it is always possible to have false
> positive errors.
Also agreed, parsing JS is a bad idea; but it is the best we can do for now :(
>
>> My point is that if the problem is performance, we better fix it
>> instead of disabling the part that brings us problems. Also, users
>> disabling this would miss some vulnerabilities without knowing why
>> (unless they read the code).
>
> Default value is True. So users will change it if they understand what they
> do. I only wanted to have control over how deep this check should be (like
> with grep.domXSS).
Still don't like it. Give me some time and I'll improve the plugin somehow.
Regards,
>
>>
>> Regards,
>>
>>> [0]
>>>
>>> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/oxdef/plugins/audit/globalRedirect.py?revision=5083&view=markup
>>> --
>>> Taras
>>> http://oxdef.info
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
