Hi,
I understand, it's now my turn to find fact and real case to convince you
than this plugin have is place into W3AF...It's the game and it's a very
interesting part ;o))))
Thanks for review.
Cordialement, Best regards,
Dominique Righetto
dominique.righe...@gmail.com
dominique.righe...@owasp.org
Twitter: @righettod
Google Code Repository <http://righettod.googlecode.com>
GitHub Repository <https://github.com/righettod>
*"No trees were killed to send this message, but a large number of
electrons were terribly inconvenienced."*
On Sun, Oct 14, 2012 at 3:11 AM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Dom,
>
> After spending a considerable time with inspectRequestPreflight.py
> [0] and the w3c document on CORS [1], I think that the vulnerability
> being detected by the plugin:
>
> ...
> msg = 'Application seems to accept the ' + self.test_http_method + '
> request type even if an OPTIONS request type has not be previously
> sent to preflight the current request.'
> ...
>
> Is NOT really a vulnerability and that detection is too relaxed,
> which will generate a ton of false positives.
>
> There is no indication in the w3c document (that I was able to
> find, please point me to it if it exists) that the web application
> needs to track/verify that for each "POST" that arrives with an Origin
> header (or any other specific thing in the request) there was a
> previous *associated* preflight OPTIONS.
>
> The w3c documentation actually states that the OPTIONS needs to be
> performed without cookies (see: Exclude user credentials.) which would
> make the task even harder on the application developer, as we all know
> that tracking things like this by IP doesn't work (eg. proxy).
>
> Unless you provide more information about any security
> implications this situation (Application seems to accept the POST
> request type even if an OPTIONS request type has not be previously
> sent to preflight the current request.) has, and strong references
> recommending to implement an OPTIONS tracking system, this plugin
> won't be able to make it into w3af :(
>
> PS: In the review/test process, I integrated the plugin into the
> threading2 branch. If you want to see it it is attached.
>
> [0]
> https://raw.github.com/righettod/w3af-plugins/master/plugins/audit/inspectRequestPreflight.py
> [1] http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
>
> On Sat, Oct 13, 2012 at 8:57 PM, Andres Riancho
> <andres.rian...@gmail.com> wrote:
> > First commit [0], the corsUtils.py is now in the threading2 branch :)
> Comments:
> >
> > * Renamed file and location where it ended in the project
> > * Refactoring: there was no need for a class. Now we have functions
> > * Refactoring: creating the HTTP request by concatenating strings is
> > not as nice as creating objects. The objects I created are simple to
> > understand and will achieve the same objective. Please make sure that
> > there is nothing essential to CORS missing from the strings, because
> > some headers were removed.
> > * Unittested code: added unittests for all functions
> >
> > [0] https://sourceforge.net/apps/trac/w3af/changeset/5890
> >
> > On Sat, Oct 13, 2012 at 8:08 PM, Andres Riancho
> > <andres.rian...@gmail.com> wrote:
> >> Dom,
> >>
> >> Before the end of the day I'll try to write the unittests and
> >> integrate everything with the threading2 branch; that will go out
> >> shortly. Closing all the open reviews from the community is my top
> >> priority of the week :)
> >>
> >> Regards,
> >>
> >> On Sat, Oct 13, 2012 at 10:37 AM, Dominique RIGHETTO
> >> <dominique.righe...@gmail.com> wrote:
> >>> Hello,
> >>>
> >>> Does anyone know if CORS plugins [0][1] have been validated by W3AF
> >>> project team in order to be added into project SVN repository ?
> >>>
> >>> [0] :
> >>>
> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectOriginHeaderScrutiny.py
> >>> [1] :
> >>>
> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectRequestPreflight.py
> >>>
> >>> Yesteday i have moved sources to a dedicated Github repository in order
> >>> to facilitate contributions follow up :
> >>> https://github.com/righettod/w3af-plugins
> >>>
> >>> Thanks in advance
> >>>
> >>> --
> >>> Cordialement, Best regards,
> >>> Dominique Righetto
> >>> dominique.righe...@gmail.com
> >>> dominique.righe...@owasp.org
> >>> Twitter: @righettod
> >>> http://righettod.github.com
> >>> "No trees were killed to send this message, but a large number of
> electrons were terribly inconvenienced."
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Don't let slow site performance ruin your business. Deploy New Relic
> APM
> >>> Deploy New Relic app performance management and know exactly
> >>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >>> http://p.sf.net/sfu/newrelic-dev2dev
> >>> _______________________________________________
> >>> W3af-develop mailing list
> >>> W3af-develop@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
> >
> > --
> > Andrés Riancho
> > Project Leader at w3af - http://w3af.org/
> > Web Application Attack and Audit Framework
> > Twitter: @w3af
> > GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
