Taras, On Thu, Jul 26, 2012 at 6:11 AM, Taras <ox...@oxdef.info> wrote: > Andres, > > I have spent more time on this problem and here are some results. > > >> w3af is now supported under Python 2.7 (based on a recent change we >> made in dependency_check.py) and xUrllib uses urllib2 which uses -the >> fixed- httplib. So the error shouldn't happen anymore if the user is >> running w3af with py27. >> >> For users running in py26, maybe we have to back-port the httplib fix >> or something like that in order to avoid the issue in the first place. > > > Back-port fix from 2.7 for malformed URLs is in attachment. > In same time, > imho, it is not good idea to ask users for patching Python's libs. It will > mean the ending of Python < 2.7 supporting.
Yep, its a bad idea do ask users to patch urllib.py > Do we have python version usage > statistics for w3af? No, we don't >> Hmmm, but do we actually need to do something in the error handling? After some thinking, I came up with a solution that should solve the initial issue you pointed out: "the lack of /". For now and because I'm not sure if this fixes all issues (there might be more than one source of BadStatusLine) I commited it to my branch [0] , please review so I can merge into trunk. To test, please move this change to a local trunk, the threading2 branch isn't done yet. [0] http://sourceforge.net/apps/trac/w3af/changeset/5409 > Another result is...raising BadStatusLine with incorrect path in URL is only > one example. As I think, when we talk about web app fuzzer there is also > possible a huge number of another cases with strange responses from web > server. Currently when w3af gets such strange response (with some > urllib2.URLError exception) it tries to send request again N times > (maxRetrys). If on N attempt w3af also gets strange response it **raises > w3afMustStopOnUrlError** and **stops** the whole scan. Imho, it is too > severely because one request with e.g. 2 retries can stop the whole scan. > Here we need to do same thing as for unexpected errors - increment global > error count. We also need to make errtotal value configurable. Yes, that's an issue we have in the error handling that should be fixed, but I'm not sure if elevating the maxRetrys is the way. For now, I would try to continue looking (and fixing) for the requests that w3af performs and force those badstatusline errors. Maybe we find some more, we fix them and the issue dissapears. Regards, > > -- > Taras > http://oxdef.info > GPG: C8D1F510 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
