Andres, > I'm trying to add unittests [0] for the CSRF plugin [1] and in the > process I was doing an analysis of the techniques used in your plugin > with the objective of passing our CSRF test suite [2] and I've got a > question. Why this? > > 118 # Send the same request twice and analyze if we get the > same responses > 119 # TODO: Ask Taras about these lines, I don't really > understand. > 120 response1 = self._uri_opener.send_mutant(freq) > 121 response2 = self._uri_opener.send_mutant(freq) > 122 if not self._is_resp_equal(response1, response2): > 123 return False, None
This code is for to be sure that request with same data will give us the same result (to decrease number of false positive errors). Different result will mean that we can't correctly make other CSRF related checks (like response diffs and so on). -- Taras http://oxdef.info GPG: C8D1F510 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
