Andres,
About the migration, for the moment, i have issue (cannot install some
dependencies) to install Threading2 branch on my windows dev station,
then exceptionally (because i think you have a ton of work) you can do the
migration...
I apologize to cannot do the migration myself but I don't know when i will
fix my installation...
Regards,
Dom
On Mon, Oct 15, 2012 at 8:30 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Dom,
>
> On Mon, Oct 15, 2012 at 10:25 AM, Dominique Righetto
> <dominique.righe...@gmail.com> wrote:
> > Andres,
> >
> > OK. About preflight, i must admit that you are right and then i will
> keep it
> > for myself and see if i can meet real risk scenario during profesional
> dev
> > project on which i work....
>
> Ok! It might be useful in a particular scenario; but not suitable (at
> least from my point of view) for a tool that has to scan very generic
> targets.
>
> > I will start to work soon on a plugin about "Prolonged caching of
> Preflight
> > Result" according to a suggestion coming from you some weeks ago :)
>
> I don't remember that particular part of the conversation, but I
> recommend you explain what you want to achieve (in an email to this
> mailing list) before starting to code. That way we might avoid rework
> from your/my side,
>
> > Thanks you very much for sharing your experience with me, i'm new in
> > security area and it's very helpful for me to receive comments and advice
> > from experienced people :o)
>
> No prob!
>
> So, about the other plugin, should I migrate it to the threading2
> format or will you try to do that?
>
> >
> > Cordialement, Best regards,
> > Dominique Righetto
> > dominique.righe...@gmail.com
> > dominique.righe...@owasp.org
> > Twitter: @righettod
> > Google Code Repository
> > GitHub Repository
> > "No trees were killed to send this message, but a large number of
> electrons
> > were terribly inconvenienced."
> >
> >
> >
> > On Mon, Oct 15, 2012 at 2:57 PM, Andres Riancho <
> andres.rian...@gmail.com>
> > wrote:
> >>
> >> Dom,
> >>
> >> On Sun, Oct 14, 2012 at 2:10 PM, Dominique Righetto
> >> <dominique.righe...@gmail.com> wrote:
> >> > Andres,
> >> >
> >> > To not block the release process, we can go further and not include
> the
> >> > preflight plugin...
> >>
> >> Ok,
> >>
> >> > I have updated the "origin" (not yet push into git repo because i have
> >> > issue
> >> > to install python 2.7 w3af dependencies on my windows dev station to
> >> > test my
> >> > update on threading2 branch) to include cors utils and base audit
> plugin
> >> > refactoring and as this plugins seems to be accepted you perhaps
> include
> >> > it
> >> > in the nest release, i will be proud to have a piece of code making
> part
> >> > of
> >> > next w3AF release :)
> >>
> >> I think that that inspectOriginHeaderScrutiny.py should make it into
> >> threading2, yes. I would have to write some unittests first, but it
> >> will make it.
> >>
> >> > About "preflight" in fact (after some thinking) is not really a
> >> > vulnerability but a kind of "risk" because preflight process ensure
> that
> >> > action on a target web resource by a client request has been
> previously
> >> > checked using the preflight request process. If a web resources
> exposed
> >> > using CORS wit supports for modification action and preflight process
> is
> >> > not
> >> > checked on server side then unsafe resource modification become
> >> > possible.
> >> > Perhaps we can move this plugin from Audit type to another like
> >> > Discovery
> >> > or Grep...
> >>
> >> Still don't buy it, I don't even think it is a risk. If you add this
> >> "vulnerability/risk" protection to your site it is like adding a "CORS
> >> browser implementation verifier" into your web application. It is only
> >> needed if you're paranoid enough to believe that the same origin
> >> policy or the preflight/CORS algorithm in browsers is broken; and even
> >> then it can be bypassed by a script that sends an arbitrary OPTIONS
> >> and an arbitrary POST (that doesn't respect the headers returned in
> >> OPTIONS). Sorry but I won't add this plugin.
> >>
> >> > Cordialement, Best regards,
> >> > Dominique Righetto
> >> >
> >> >
> >> > dominique.righe...@gmail.com
> >> > dominique.righe...@owasp.org
> >> > Twitter: @righettod
> >> > Google Code Repository
> >> > GitHub Repository
> >> > "No trees were killed to send this message, but a large number of
> >> > electrons
> >> > were terribly inconvenienced."
> >> >
> >> >
> >> >
> >> > On Sun, Oct 14, 2012 at 4:56 PM, Andres Riancho
> >> > <andres.rian...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Dom,
> >> >>
> >> >> On Sun, Oct 14, 2012 at 6:28 AM, Dominique Righetto
> >> >> <dominique.righe...@gmail.com> wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I understand, it's now my turn to find fact and real case to
> convince
> >> >> > you
> >> >> > than this plugin have is place into W3AF...It's the game and it's a
> >> >> > very
> >> >> > interesting part ;o))))
> >> >>
> >> >> I'm all in for learning why this is a vulnerability (if it is the
> >> >> case:)
> >> >>
> >> >> Regards,
> >> >>
> >> >> > Thanks for review.
> >> >> >
> >> >> > Cordialement, Best regards,
> >> >> > Dominique Righetto
> >> >> > dominique.righe...@gmail.com
> >> >> > dominique.righe...@owasp.org
> >> >> > Twitter: @righettod
> >> >> > Google Code Repository
> >> >> > GitHub Repository
> >> >> >
> >> >> > "No trees were killed to send this message, but a large number of
> >> >> > electrons
> >> >> > were terribly inconvenienced."
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Sun, Oct 14, 2012 at 3:11 AM, Andres Riancho
> >> >> > <andres.rian...@gmail.com>
> >> >> > wrote:
> >> >> >>
> >> >> >> Dom,
> >> >> >>
> >> >> >> After spending a considerable time with
> >> >> >> inspectRequestPreflight.py
> >> >> >> [0] and the w3c document on CORS [1], I think that the
> vulnerability
> >> >> >> being detected by the plugin:
> >> >> >>
> >> >> >> ...
> >> >> >> msg = 'Application seems to accept the ' + self.test_http_method
> + '
> >> >> >> request type even if an OPTIONS request type has not be previously
> >> >> >> sent to preflight the current request.'
> >> >> >> ...
> >> >> >>
> >> >> >> Is NOT really a vulnerability and that detection is too
> relaxed,
> >> >> >> which will generate a ton of false positives.
> >> >> >>
> >> >> >> There is no indication in the w3c document (that I was able to
> >> >> >> find, please point me to it if it exists) that the web application
> >> >> >> needs to track/verify that for each "POST" that arrives with an
> >> >> >> Origin
> >> >> >> header (or any other specific thing in the request) there was a
> >> >> >> previous *associated* preflight OPTIONS.
> >> >> >>
> >> >> >> The w3c documentation actually states that the OPTIONS needs
> to
> >> >> >> be
> >> >> >> performed without cookies (see: Exclude user credentials.) which
> >> >> >> would
> >> >> >> make the task even harder on the application developer, as we all
> >> >> >> know
> >> >> >> that tracking things like this by IP doesn't work (eg. proxy).
> >> >> >>
> >> >> >> Unless you provide more information about any security
> >> >> >> implications this situation (Application seems to accept the POST
> >> >> >> request type even if an OPTIONS request type has not be previously
> >> >> >> sent to preflight the current request.) has, and strong references
> >> >> >> recommending to implement an OPTIONS tracking system, this plugin
> >> >> >> won't be able to make it into w3af :(
> >> >> >>
> >> >> >> PS: In the review/test process, I integrated the plugin into the
> >> >> >> threading2 branch. If you want to see it it is attached.
> >> >> >>
> >> >> >> [0]
> >> >> >>
> >> >> >>
> >> >> >>
> https://raw.github.com/righettod/w3af-plugins/master/plugins/audit/inspectRequestPreflight.py
> >> >> >> [1]
> http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
> >> >> >>
> >> >> >> On Sat, Oct 13, 2012 at 8:57 PM, Andres Riancho
> >> >> >> <andres.rian...@gmail.com> wrote:
> >> >> >> > First commit [0], the corsUtils.py is now in the threading2
> branch
> >> >> >> > :)
> >> >> >> > Comments:
> >> >> >> >
> >> >> >> > * Renamed file and location where it ended in the project
> >> >> >> > * Refactoring: there was no need for a class. Now we have
> >> >> >> > functions
> >> >> >> > * Refactoring: creating the HTTP request by concatenating
> strings
> >> >> >> > is
> >> >> >> > not as nice as creating objects. The objects I created are
> simple
> >> >> >> > to
> >> >> >> > understand and will achieve the same objective. Please make sure
> >> >> >> > that
> >> >> >> > there is nothing essential to CORS missing from the strings,
> >> >> >> > because
> >> >> >> > some headers were removed.
> >> >> >> > * Unittested code: added unittests for all functions
> >> >> >> >
> >> >> >> > [0] https://sourceforge.net/apps/trac/w3af/changeset/5890
> >> >> >> >
> >> >> >> > On Sat, Oct 13, 2012 at 8:08 PM, Andres Riancho
> >> >> >> > <andres.rian...@gmail.com> wrote:
> >> >> >> >> Dom,
> >> >> >> >>
> >> >> >> >> Before the end of the day I'll try to write the unittests
> and
> >> >> >> >> integrate everything with the threading2 branch; that will go
> out
> >> >> >> >> shortly. Closing all the open reviews from the community is my
> >> >> >> >> top
> >> >> >> >> priority of the week :)
> >> >> >> >>
> >> >> >> >> Regards,
> >> >> >> >>
> >> >> >> >> On Sat, Oct 13, 2012 at 10:37 AM, Dominique RIGHETTO
> >> >> >> >> <dominique.righe...@gmail.com> wrote:
> >> >> >> >>> Hello,
> >> >> >> >>>
> >> >> >> >>> Does anyone know if CORS plugins [0][1] have been validated by
> >> >> >> >>> W3AF
> >> >> >> >>> project team in order to be added into project SVN repository
> ?
> >> >> >> >>>
> >> >> >> >>> [0] :
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectOriginHeaderScrutiny.py
> >> >> >> >>> [1] :
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> https://code.google.com/p/righettod/source/browse/PYTHON/W3AF-Plugins/plugins/audit/inspectRequestPreflight.py
> >> >> >> >>>
> >> >> >> >>> Yesteday i have moved sources to a dedicated Github repository
> >> >> >> >>> in
> >> >> >> >>> order
> >> >> >> >>> to facilitate contributions follow up :
> >> >> >> >>> https://github.com/righettod/w3af-plugins
> >> >> >> >>>
> >> >> >> >>> Thanks in advance
> >> >> >> >>>
> >> >> >> >>> --
> >> >> >> >>> Cordialement, Best regards,
> >> >> >> >>> Dominique Righetto
> >> >> >> >>> dominique.righe...@gmail.com
> >> >> >> >>> dominique.righe...@owasp.org
> >> >> >> >>> Twitter: @righettod
> >> >> >> >>> http://righettod.github.com
> >> >> >> >>> "No trees were killed to send this message, but a large number
> >> >> >> >>> of
> >> >> >> >>> electrons were terribly inconvenienced."
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>>
> ------------------------------------------------------------------------------
> >> >> >> >>> Don't let slow site performance ruin your business. Deploy New
> >> >> >> >>> Relic
> >> >> >> >>> APM
> >> >> >> >>> Deploy New Relic app performance management and know exactly
> >> >> >> >>> what is happening inside your Ruby, Python, PHP, Java, and
> .NET
> >> >> >> >>> app
> >> >> >> >>> Try New Relic at no cost today and get our sweet Data Nerd
> shirt
> >> >> >> >>> too!
> >> >> >> >>> http://p.sf.net/sfu/newrelic-dev2dev
> >> >> >> >>> _______________________________________________
> >> >> >> >>> W3af-develop mailing list
> >> >> >> >>> W3af-develop@lists.sourceforge.net
> >> >> >> >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> --
> >> >> >> >> Andrés Riancho
> >> >> >> >> Project Leader at w3af - http://w3af.org/
> >> >> >> >> Web Application Attack and Audit Framework
> >> >> >> >> Twitter: @w3af
> >> >> >> >> GPG: 0x93C344F3
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> > --
> >> >> >> > Andrés Riancho
> >> >> >> > Project Leader at w3af - http://w3af.org/
> >> >> >> > Web Application Attack and Audit Framework
> >> >> >> > Twitter: @w3af
> >> >> >> > GPG: 0x93C344F3
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Andrés Riancho
> >> >> >> Project Leader at w3af - http://w3af.org/
> >> >> >> Web Application Attack and Audit Framework
> >> >> >> Twitter: @w3af
> >> >> >> GPG: 0x93C344F3
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> ------------------------------------------------------------------------------
> >> >> > Don't let slow site performance ruin your business. Deploy New
> Relic
> >> >> > APM
> >> >> > Deploy New Relic app performance management and know exactly
> >> >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >> >> > Try New Relic at no cost today and get our sweet Data Nerd shirt
> too!
> >> >> > http://p.sf.net/sfu/newrelic-dev2dev
> >> >> > _______________________________________________
> >> >> > W3af-develop mailing list
> >> >> > W3af-develop@lists.sourceforge.net
> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Andrés Riancho
> >> >> Project Leader at w3af - http://w3af.org/
> >> >> Web Application Attack and Audit Framework
> >> >> Twitter: @w3af
> >> >> GPG: 0x93C344F3
> >> >
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Don't let slow site performance ruin your business. Deploy New Relic
> APM
> >> > Deploy New Relic app performance management and know exactly
> >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >> > http://p.sf.net/sfu/newrelic-dev2dev
> >> > _______________________________________________
> >> > W3af-develop mailing list
> >> > W3af-develop@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > W3af-develop mailing list
> > W3af-develop@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
