Dom,
After spending a considerable time with inspectRequestPreflight.py
[0] and the w3c document on CORS [1], I think that the vulnerability
being detected by the plugin:
...
msg = 'Application seems to accept the ' + self.test_http_method + '
request type even if an OPTIONS request type has not be previously
sent to preflight the current request.'
...
Is NOT really a vulnerability and that detection is too relaxed,
which will generate a ton of false positives.
There is no indication in the w3c document (that I was able to
find, please point me to it if it exists) that the web application
needs to track/verify that for each "POST" that arrives with an Origin
header (or any other specific thing in the request) there was a
previous *associated* preflight OPTIONS.
The w3c documentation actually states that the OPTIONS needs to be
performed without cookies (see: Exclude user credentials.) which would
make the task even harder on the application developer, as we all know
that tracking things like this by IP doesn't work (eg. proxy).
Unless you provide more information about any security
implications this situation (Application seems to accept the POST
request type even if an OPTIONS request type has not be previously
sent to preflight the current request.) has, and strong references
recommending to implement an OPTIONS tracking system, this plugin
won't be able to make it into w3af :(
PS: In the review/test process, I integrated the plugin into the
threading2 branch. If you want to see it it is attached.
[0]
https://raw.github.com/righettod/w3af-plugins/master/plugins/audit/inspectRequestPreflight.py
[1] http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
On Sat, Oct 13, 2012 at 8:57 PM, Andres Riancho
<andres.rian...@gmail.com> wrote:
> First commit [0], the corsUtils.py is now in the threading2 branch :)
> Comments:
>
> * Renamed file and location where it ended in the project
> * Refactoring: there was no need for a class. Now we have functions
> * Refactoring: creating the HTTP request by concatenating strings is
> not as nice as creating objects. The objects I created are simple to
> understand and will achieve the same objective. Please make sure that
> there is nothing essential to CORS missing from the strings, because
> some headers were removed.
> * Unittested code: added unittests for all functions
>
> [0] https://sourceforge.net/apps/trac/w3af/changeset/5890
>
> On Sat, Oct 13, 2012 at 8:08 PM, Andres Riancho
> <andres.rian...@gmail.com> wrote:
>> Dom,
>>
>> Before the end of the day I'll try to write the unittests and
>> integrate everything with the threading2 branch; that will go out
>> shortly. Closing all the open reviews from the community is my top
>> priority of the week :)
>>
>> Regards,
>>
>> On Sat, Oct 13, 2012 at 10:37 AM, Dominique RIGHETTO
>> <dominique.righe...@gmail.com> wrote:
>>> Hello,
>>>
>>> Does anyone know if CORS plugins [0][1] have been validated by W3AF
>>> project team in order to be added into project SVN repository ?
>>>
>>> [0] :
>>> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectOriginHeaderScrutiny.py
>>> [1] :
>>> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectRequestPreflight.py
>>>
>>> Yesteday i have moved sources to a dedicated Github repository in order
>>> to facilitate contributions follow up :
>>> https://github.com/righettod/w3af-plugins
>>>
>>> Thanks in advance
>>>
>>> --
>>> Cordialement, Best regards,
>>> Dominique Righetto
>>> dominique.righe...@gmail.com
>>> dominique.righe...@owasp.org
>>> Twitter: @righettod
>>> http://righettod.github.com
>>> "No trees were killed to send this message, but a large number of electrons
>>> were terribly inconvenienced."
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Don't let slow site performance ruin your business. Deploy New Relic APM
>>> Deploy New Relic app performance management and know exactly
>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>>> http://p.sf.net/sfu/newrelic-dev2dev
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
cors_preflight.py
Description: Binary data
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
