Taras,
On Tue, Jul 3, 2012 at 9:13 AM, Taras <ox...@oxdef.info> wrote:
> Andres, some more comments ...
>
>
>> Will review and send comments when you tell me "Please review"
>
> I need 2 or 3 days to fully work PoC w3af + PhantomJS.
>
>
>>>> * For each state in which the automated browser is in, be able to
>>>> return a list with all the custom events available (ie. if there is
>>>> a tag with<div onmouseover="..." this should return something like
>>>> [(<div object at 0x...>, 'onmouseover')] )
>>>
>>>
>>> I'm not sure about it. Such thing even difficult with FireBug as I know.
>>
>>
>> If we don't have that, how can we know which events to trigger?
>
> I can suggest existing of the event for the object like a regular user.
> In same time if such list can be grabbed with JS then we have such
> possibility.
Could you explain that again? You lost me in "existing of the event
from the object like a regular user"
>
>>>> * Send an event, for example (<div object at 0x...>, 'onmouseover'),
>>>> to the current DOM
>>>
>>>
>>> Yes, it can
>>
>>
>> How do you know which events to send to which tag?
>
> For same cases we can determine it with object properties or with help of
> JQuery.
>
>
>>>> * We need to be able to store events like (<div object at 0x...>,
>>>> 'onmouseover') in order to store a path and replay it if wanted
>>>
>>>
>>> Currently I store not events paths but CSS selectors of interesting
>>> objects like links and images. But it's discussable.
>>
>>
>> Hmm... what if there is an onmouseover="..." in a div tag? How are we
>> going to trigger that JS code?
>
> Of course it is not ideal solution but do you know one that can do it?
If we would have the feature to retrieve all events from the currently
loaded DOM, we would be able to do something as simple as:
"""
browser.load( url ) # block until done
original_dom = browser.dump_dom()
for tag, event in browser.get_events():
browser.load_dom( original_dom )
browser.raise_event( tag, event )
"""
>
>> Sure, we always need to take a first step, and usually it's not the
>> best thing we can do; but it is better than not taking it :) The only
>> point we need to take into account is that maybe we could work a lot
>> phantomjs and then in 6 months have to throw it away because it
>> doesn't provide us with the basic features we need
>
> I don't thing that we will need 6 months to throw away phantomjs.
> Furthermore I don't sure that we will find better solution (I will also see
> on alternative solutions like Spynner). Basic idea will be the same: w3af
> proxy + in-built browser.
Yes, but we need the requirements I put in the first email (at least
in my opinion) to be able to produce a good RIA analyzer. Do you agree
on that?
Regards,
> --
> Taras
> http://oxdef.info
> GPG: C8D1F510
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
