> Yes, agreed, but we can't add all of those payloads. That's why we
> have the ones that add delays, which should work "in all frameworks".
> What do you think about that?
I like the 2-way detection that is integrated in *nearly* every plugin:
- Time/Delay based
- Output based
The multithreading
Daniel,
On Sat, Mar 31, 2012 at 6:05 PM, Daniel Zulla
wrote:
> Hi,
> I'll provide well-formatted patches in the future, thanks for the fix.
> Yes. That works with Python and Perl. Verified it with a small HTML::Template
> and Pyramid Lab.
Great, thanks for the good news.
> But in the real worl
Hi,
I'll provide well-formatted patches in the future, thanks for the fix.
Yes. That works with Python and Perl. Verified it with a small HTML::Template
and Pyramid Lab.
But in the real world, we won't win with echo/print. Maybe we should replace
"print "/"echo " by %s and provide several option
Daniel,
On Tue, Mar 27, 2012 at 11:26 PM, Daniel Zulla
wrote:
> This patch *may* work. Untested.
Applied the patch to the latest eval.py in our SVN, and tested using:
* sudo python w3af_console -s scripts/script-eval.w3af
This triggered various errors in the line where this was performed:
One more thing: We could exploit the languages different fingerprints to
determine the programming language very specifically.
PHP:
%sphpinfo()%s (Match on "Zend_" and/or the same strings as
discovery/phpinfo.php matches on)
Python:
%s__name__%s (Match on "__main__")
Perl:
%s$^X%s (Match on "p
This patch *may* work. Untested.
eval.py.patch
Description: Binary data
> Dan,
>
> On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
> wrote:
>> Hi there,
>> The "string1"."string2" --> .match("string1string2") strategy of eval.py
>> turned out to produce false-positives when the webapp strip
Dan,
On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
wrote:
> Hi there,
> The "string1"."string2" --> .match("string1string2") strategy of eval.py
> turned out to produce false-positives when the webapp strips out
> everything but [a-zA-Z0-9_-].
>
> Instead of "Error 404 "string1"."string2", stri
