Achim,
On Wed, May 15, 2013 at 9:53 AM, Achim Hoffmann <[email protected]> wrote:
> Hi all,
>
> I'm searching for a plugin which can multiple encode a payload.
> Does such a thing exist in w3af?
No, it doesn't. w3af doesn't play with encoding as much as it should.
As a side note, I think I wouldn't implement this as a plugin, I would
add it in the create_mutants function [0]. This function takes
fuzzable requests as input and outputs modified requests. Example:
Input:
- http://host.tld/foo?id=1
- [payload1, payload2]
Output:
- http://host.tld/foo?id=payload1
- http://host.tld/foo?id=payload2
If you read [0] you'll notice that it would be a good idea to add a
fuzzer_config (see: _get_fuzzer_config) where the user can configure
at a framework wide level the "encoding depth". By default I would set
it to zero: only use the regular RFC required encoding.
If create_mutants is modified, it would be possible to have it output
something like:
- http://host.tld/foo?id=payload1
- http://host.tld/foo?id=payload2
- http://host.tld/foo?id=encodeEntity(payload1)
- http://host.tld/foo?id=encodeEntity(payload2)
....
- http://host.tld/foo?id=encodeEntity(encodeURL(encodeURL(payload1)))
- http://host.tld/foo?id=encodeEntity(encodeURL(encodeURL(payload2)))
This would be a good thing to have, and the implementation at this
level will affect all plugins which use the create_mutants function
(all which send payloads if I'm not mistaken). Create mutants also
mutates the path (as in your /path/foo<u>xss/other example),
post-data, etc.
[0] https://github.com/andresriancho/w3af/blob/master/core/data/fuzzer/fuzzer.py
> The idea is as follows:
> given the url like
>
> /path/foo<u>xss/other
>
> I want to test these variants:
>
> /path/foo<u>xss/other
> /path/foo%3Cu%3Exss/other
> /path/foo%253cu%253exss/other
> /path/foo%25253cu%25253exss/other
> /path/foo%26%6C%74%3Bu%26%67%74%3Bxss/other
> /path/foo%26%6C%74%3B%75%26%67%74%3Bxss/other
> /path/foo%2526%256C%2574%253Bu%2526%2567%2574%253Bxss/other
> /path/foo%3Cu%3Exss/other
> /path/foo%253Cu%253Exss/other
>
> The idea (abstract) is like:
>
> encodeEntity(payload)
> encodeURL(payload)
> encodeURL(encodeURL(payload))
> encodeURL(encodeURL(encodeURL(payload)))
> encodeURL(encodeEntity(payload))
> encodeEntity(encodeURL(payload))
> encodeEntity(encodeURL(encodeURL(payload)))
>
> The payload can be anywhere in the URL, header or body.
> Test in the URL at first glance will be great.
>
> Is there such a plugin, or one which can simply be extended?
>
> Any help appreciated
> Achim
>
>
> BTW, I already have a tool to generate such payloads in the browser
> https://www.owasp.org/index.php/Category:OWASP_EnDe
> you can nest the encoding functions how ever you like (see [Functions]
> button)
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> W3af-develop mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
