Carlos, On Wed, Aug 1, 2012 at 10:04 PM, Carlos Pantelides <carlos_panteli...@yahoo.com> wrote: > Andres: > > I'm in the oven, I'll try to read the links and make something up. > Meanwhile, what are you asking for is a language or library that suffers for > this kind of vulnerability, aren't you? > > I did not try the javascript code [1], isn't what are you asking for?
Yes, the thing is that I want to test the redos.py plugin [0] and can't do it with javascript. I need something that runs on the server-side. I cried for help on twitter and some people pointed me to Java, telling me that it is vulnerable. I'll test it out in a bit, need some time to setup tomcat, etc. [0] https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/audit/redos.py > > Carlos Pantelides > > @dev4sec > > > http://seguridad-agile.blogspot.com/ > ________________________________ > From: Andres Riancho <andres.rian...@gmail.com> > To: "w3af-develop@lists.sourceforge.net" > <W3af-develop@lists.sourceforge.net>; w3af-us...@lists.sourceforge.net > Sent: Wednesday, August 1, 2012 3:40 PM > Subject: Re: [W3af-users] Regular expression DoS > > Ping! Someone can help me out? > > On Thu, Jul 26, 2012 at 1:59 PM, Andres Riancho > <andres.rian...@gmail.com> wrote: >> Lists, >> >> I'm trying to write a unittest for our redos audit plugin [0] that >> aims to find regular expression denial of service as explained here >> [1]. My problem at this point, and this is why I'm contacting you, is >> that I know for a fact that both PHP and Python are safe against this >> vulnerability (because of their regex engines being safe), but I want >> to have a unittest that really verifies that the plugin works and can >> identify the vulnerability... which programming language should I use >> to code the vulnerable script? >> >> Thanks! >> >> [0] >> https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/audit/redos.py >> [1] >> https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > W3af-users mailing list > w3af-us...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
