-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Taras,
I'm trying to add unittests [0] for the CSRF plugin [1] and in the
process I was doing an analysis of the techniques used in your plugin
with the objective of passing our CSRF test suite [2] and I've got a
question. Why this?
118 # Send the same request twice and analyze if we get the
same responses
119 # TODO: Ask Taras about these lines, I don't really
understand.
120 response1 = self._uri_opener.send_mutant(freq)
121 response2 = self._uri_opener.send_mutant(freq)
122 if not self._is_resp_equal(response1, response2):
123 return False, None
I don't understand how that makes the algorithm better (reduce false
positives/negatives)
Please note that the test suite was modified to add your tests too.
[0]
https://sourceforge.net/apps/trac/w3af/browser/branches/threading2/plugins/tests/audit/test_xsrf.py
[1]
https://sourceforge.net/apps/trac/w3af/browser/branches/threading2/plugins/audit/xsrf.py
[2]
https://sourceforge.net/apps/trac/w3af/browser/extras/testEnv/webroot/moth/w3af/audit/xsrf
Regards,
- --
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlAj5hkACgkQLgy+VpPDRPMGOQCeNyCDKcbMEO4iRxUU21AIC/bY
AB8An3tjDaKDBqy9t3n9hcetFshvcIXQ
=6vBS
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
