For some strange reason, I kept this email in my inbox for a long
time, unread but without actually doing anything. Created a github
issue so I can remove this from my Inbox and it's also there for every
other potential contributor to see.
https://github.com/andresriancho/w3af/issues/167
On Mon,
Stephen,
I've implemented a couple of test scripts for HTTP Parameter
Pollution that you can see here:
http://sourceforge.net/apps/trac/w3af/browser/extras/testEnv/webroot/w3af/audit/hpp
You might find them useful for testing your stuff,
Regards,
On Tue, May 15, 2012 at 7:27 PM,
That's great! Thanks. I was meaning to do this soon and just hadn't gotten
around to it. I'll definitely try these out soon.
As of right now the plugin is pretty simple. All it does is inject into
each parameter in the request (one at a time) and then check the links in
the response to see if the
Stephen,
On Sat, May 12, 2012 at 3:31 PM, Stephen Breen breen.mach...@gmail.com wrote:
After comparing the browser and w3af requests/responses in wireshark I was
able to figure it out. When I send the request:
http://www.example.com/?x=abc%26ZJkL%3DNrZp
In w3af it is being converted to:
I did, the most efficient way I could think to do it required the following
changes to dataContainer.py and queryString.py. Basically all I did was add
a _safeEncodeChars field to the dataContainer and make sure it was used
when doing URL encoding:
Index: core/data/dc/dataContainer.py
Stephen,
On Wed, May 2, 2012 at 4:10 PM, Stephen Breen breen.mach...@gmail.com wrote:
In case anyone else is interested in this, someone else has already created
a system to scan and detect HTTP parameter pollution vulnerabilities. They
don't provide the source for their tool but it can be