Taras,
On Mon, Jun 25, 2012 at 9:39 AM, Taras <ox...@oxdef.info> wrote:
>
>> Just wanted to let you know what's new with w3af these days :)
>>
>> * Taras is working on improving the XSS detection with the aim of
>> increasing accuracy and reducing the number of HTTP requests
>
> PoC is finished and available in xss branch. Working on stabilization and
> tests. It uses concept of context detection and breaking of it.
> plugins/tests/test_xss.py is passed.
Thanks for the update! A review of the new code:
* context.py:
- There are a lot of locations where something similar to this
is done: "if data.lower().rfind('<script')" , what if the tag is in
upper-case? or what about cases like "< script" ? Are we applying this
logic after the lxml parser that sanitizes this? If so, does it make
sense to work with that version of the response or with the original
version that came from the network?
- While reading, testing, analyzing the code I migrated the
unittests to a different module in core/data/contexts/tests/ . If you
want to see the test output when running them with nosetests you can
use the -s flag that will allow you to see any debug "print" that you
put. Please "svn up" ASAP so you get these changes and can work on top
of them.
- The code worked amazingly well, even with some broken HTML
tests that I tried!
- Have you checked with WAVSEP's XSS examples to see if we
have all the contexts required to pass those tests? I've looked at the
list of all available contexts in context.py and it seems very
detailed but maybe they have something else.
- Just for clarity I would rename Comment() to HTMLComment()
- Add more tests to test_context.py , the code seems VERY
good... tried to make it fail and only succeeded in one "strange" test
case! (see test_payload_script_single_quote) Congrats!
- In "Text(HtmlContext)" , shouldn't can_break have both < and > ?
* xss.py
- In all places where something like this is done:
oldValue = mutant.getModValue()
mutant.setModValue(rndNum)
...
# restore the mutant values
mutant.setModValue(oldValue)
I think that it would be possible to do something like:
mutant = mutant.copy()
And then DON'T restore the value. Not confirmed, please verify.
- Not sure if I would keep the _is_echoed() , maybe simply
start testing? Maybe the application doesn't echo the value if it is
an alfanumeric but it will echo it if it has special characters? I've
seen this in many apps:
if input_is_fine(input):
process(input) # no xss here
else:
print "Invalid input", input # xss here!
- Liked _search_simple_xss() , it should catch 80% of the XSS vulns
- If we remove is_echoed() , we would end up with 5 HTTP
requests per parameter, correct? 1 for simple_xss and 4 for the
payloads?
- Is there any way to prove (and add it to a unittest) that
the payloads in xss.py are covering all cases of can_break in
context.py ?
The whole code ended up being very nice. What I'm thinking about
now is the possibility of having two plugins, one for persistent-xss
and one for reflected xss. That would allow us to have nicer code in
both. What do you think? (no real need to do this now)
>> * I'm working on a *huge* refactoring that will allow us to run more
>> than one plugin at the same time in different threads; which should
>> drastically increase scanning speed
>> * I've completed the new error handling for plugins a couple of weeks
>> ago and users should be already benefiting from it
>
> + Taras is also working on web20Spider which gives w3af possibility to at
> least crawl modern web apps with heavy usage of AJAX. I think PoC will be
> finished in the nearest days. I use PhantomJS/CasperJS for browser
> iterations. Currently the code can crawl states of web app (clicks on a and
> img objects).
Which branch? What's the environment needed to test this?
>
>> As you can see for the SVN timeline [0] there is a lot of action
>> going on. Want to join? Let me know and I'll help you with the first
>> steps,
>>
>> [0]
>> http://sourceforge.net/apps/trac/w3af/timeline?from=06%2F25%2F12&daysback=30&changeset=on&update=Update
>>
>> Regards,
>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
