Taras, On Wed, Jun 27, 2012 at 3:56 AM, Taras <ox...@oxdef.info> wrote: > Andres, > > >>> Upper case tag is ok. HTML is not case sensitive (because of it I use >>> lower() everywhere in the code) and yes, here I need raw body from >>> response. >>> I use response.getBody(). Does this method return clear body without lxml >>> changes? >> >> >> Yes, it will return the HTTP response body that came from the network >> after it was decoded using the charset specified in the HTTP response >> body. > > So looks like no problem with it :) > > >>>> - In "Text(HtmlContext)" , shouldn't can_break have both< >>>> and> >>>> ? >>> >>> >>> Nope, because we can change context having only '<', e.g. insert >>> >>> <hr onmouseover="alert(1)"/ >>> >>> and browser will eat it and render hr! >> >> >> Ahh! Nice. That works in all browsers? > > At least in Firefox, Opera and Chrome! > > >>> >>>> * xss.py >>>> >>>> - In all places where something like this is done: >>>> oldValue = mutant.getModValue() >>>> mutant.setModValue(rndNum) >>>> ... >>>> # restore the mutant values >>>> mutant.setModValue(oldValue) >>>> >>>> I think that it would be possible to do something like: >>>> mutant = mutant.copy() >>>> >>>> And then DON'T restore the value. Not confirmed, please verify. >>> >>> >>> What is advantage of using mutant.copy()? >> >> >> Less lines of code. Clearer code. > > What about resources usage (memory)?
The new object only lives in memory for the scope of the function/method where you're using it, so no problem there > >>> I don't think that it will have real advantages over keeping XSS >>> detection >>> logic in one place. >> >> >> Maybe its because I'm thinking about rewriting persistent xss >> detection in a more advanced way :) What I want to do is to inject >> unique identifiers (alnum) into all parameters, then crawl the >> application again, find those identifiers and create a very clear map >> of src->dst , and then start fuzzing the src and check the dst (with >> context) to check if there is a persistent XSS. > > Now I understand :) I think that it's a good idea and way to test persistent > XSS. But before it will be implemented let's safe this functionality in the > xss plugin. Agreed, > >>>> Which branch? What's the environment needed to test this? >>> >>> >>> branch is called webapps. In the nearest days I will add some related >>> code >>> in it and begin coding of discovery.web20Spider. For this time you can >>> look >>> on PhantomJS [0] and CasperJS [1]. It are really good tools for automated >>> web UI testing. The first one is headless WebKit with JavaScript API, and >>> the second one is toolkit over the first one. The decision to use these >>> tools is not final but it is good opportunity for the first step forward >>> browser integration. >> >> >> Great! I'll take a look into that later today > > > Yesterday I have coded logic PoC web20Spider [0] and it works on test pages > [1]! One of main tasks now is to pass current cookies to casperjs. > It looks like the only way to do it is dumping freq current cookies > (including session ones) into temp file. Then we can point casperjs on this > file with existing option --cookies-file. The second task is to submit forms > on pages but it looks like simpler then cookies. > > [0] > http://sourceforge.net/apps/trac/w3af/browser/branches/webapps/plugins/discovery/web20Spider.py > [1] > http://sourceforge.net/apps/trac/w3af/browser/branches/webapps/moth/w3af/discovery/web20Spider > -- > Taras > http://oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
