Tobias,
On Thu, Jan 3, 2013 at 7:31 AM, <[email protected]> wrote:
> Hello dear developers,
>
> first of all I would like to thank all of you for the great work you
> are doing on w3af.
Thanks!
> I started using it some time ago and have come across the following
> issue:
>
> Scanning a customers website, I found a XSS vunerability using
> Acunetix. This is the First Line of the HTTP header sent by Acunetix:
>
> GET /html/contact.php/%22onmouseover%3d'prompt(975175)'bad%3d%22%3e HTTP/1.1
>
> The vunerability is caused by the use of $_SERVER['PHP_SELF'] in the
> action attribute of a form tag.
>
> I was not able to find this vunerabilty using w3af though.
>
> I is possible to extend the xss plugin to also test for this kind of
> attack? It would be great!
I think w3af is able to find these types of vulnerabilities. If you've
got some minutes to spend on this, please follow these steps:
* Get the latest version of w3af from the threading2 branch
(you've volunteered to be one of the beta-testers;)
svn co
https://w3af.svn.sourceforge.net/svnroot/w3af/branches/threading2
w3af-threading2
* Start w3af from the w3af-threading2 directory
* In the misc-settings configuration set fuzz_url_filenames and
fuzz_url_parts to True
* Enable the audit.xss plugin
* Set the target to the URL you want to scan
* Start the scan
Let us know how this went, thanks!
Regards,
> Best regards
>
> Tobias Assmann
> _______________________________________________________
>
> SkyGate internetworking GmbH
> Pfuelstrasse 5, Aufgang VI
> D - 10997 Berlin
> Handelsreg. Berlin Charlottenburg, HRB 87258
> Geschaeftsfuehrer: Stephan Jensen
>
> T: +49- (0)30 - 611038-0
> F: +49- (0)30 - 61280465
> W: http://www.skygate.de
> _______________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122712
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
