Re: [W3af-develop] [W3af-svn-notify] SF.net SVN: w3af:[5502] branches/xss/plugins/tests/audit/test_xss.py

Sat, 04 Aug 2012 12:59:12 -0700 

Andres,

It is all right with this test because __VIEWSTATE is used here only as 
CSRF token (not as vulnerable parameter). We already passes it.


>       There is a test in WAVSEP that I think we won't be able to pass
> because of a performance improvement that w3af has:
>
> ('Case32-Tag2HtmlPageScopeValidViewstateRequired.jsp', 'userinput',
> ['userinput', '__VIEWSTATE']),
>
>       If this means that w3af should find XSS vuln in __VIEWSTATE, I think
> it won't be possible because in fuzzer.py we have IGNORED_PARAMETERS
> that contains it.
>
>       Of course we could change that... but I don't think it will make much
> sense. Just wanted to let you know beforehand so you know what's going
> on when that test is not passed.
>
> Regards,
>
> On 08/04/2012 10:16 AM, ox...@users.sourceforge.net wrote:
>> Revision: 5502
>> http://w3af.svn.sourceforge.net/w3af/?rev=5502&view=rev Author:
>> oxdef Date:     2012-08-04 13:16:16 +0000 (Sat, 04 Aug 2012) Log
>> Message: ----------- Fixed tests
>>
>> Modified Paths: --------------
>> branches/xss/plugins/tests/audit/test_xss.py
>>
>> This was sent by the SourceForge.net collaborative development
>> platform, the world's largest Open Source development site.
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________ W3af-svn-notify
>> mailing list w3af-svn-not...@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-svn-notify
>>
>
>
>
> - --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAlAdPXYACgkQLgy+VpPDRPPoeACfT0E2CDyx7xLHjlGcSmv5YtoK
> T9oAnAiRHO8zbmorJGHR+OGEFtX7E2OS
> =rXXC
> -----END PGP SIGNATURE-----


-- 
Taras
http://oxdef.info
GPG: C8D1F510

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to