-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/10/2012 04:32 AM, Taras wrote: > Andres, >> I'm trying to add unittests [0] for the CSRF plugin [1] and in >> the process I was doing an analysis of the techniques used in >> your plugin with the objective of passing our CSRF test suite [2] >> and I've got a question. Why this? >> >> 118 # Send the same request twice and analyze if we >> get the same responses 119 # TODO: Ask Taras about >> these lines, I don't really understand. 120 response1 >> = self._uri_opener.send_mutant(freq) 121 response2 = >> self._uri_opener.send_mutant(freq) 122 if not >> self._is_resp_equal(response1, response2): 123 >> return False, None > > This code is for to be sure that request with same data will give > us the same result (to decrease number of false positive errors). > Different result will mean that we can't correctly make other CSRF > related checks (like response diffs and so on). Hmmm, but it also restricts the algorithm *a lot*! What about a form that allows you to delete something from a DB:
#1 http://host/remove.php?id=3&confirm=true -> returns "Item 3 removed from DB" #2 http://host/remove.php?id=3&confirm=true -> returns "Item 3 not found in DB" They are different, no CSRF tests are performed on them, BUT they ARE vulnerable! Agreed? We just need to know what's more common in this case, the potential false positives or the potential false negatives; and remove/keep this heuristic step. Regards, - -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlAlXMMACgkQLgy+VpPDRPPTCACg0qdjVAtEmLc2jXg7NvSQCAfc z40AoJpBT+Rq5xPRFz+IMNZKOFz64WWm =kCVO -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
