Andres,
your suggestion with mutants sounds better than mine with a table of
payloads.
The only thing to be defined is the number and type of mutants being
generated, that must be configurable somehow.
Achim
--
Register
Dimitri,
On Tue, May 19, 2009 at 1:50 PM, Dimitri Paranoid
wrote:
> Hi guys,
> I played with the w3af for the first time today. I'm specifically
> interested in the XSS scanning (crawling + fuzzing).
> It seems w3af does not catch the case when the site echoes the
> double-encoded Javascript.
>
Taras,
On Tue, May 19, 2009 at 6:59 PM, Taras P. Ivashchenko
wrote:
>
> Hi, Dimitri!
>
> Thanks for interesting in W3AF!
> How often in real there is such situation (when some input param is echoed
> back to the browser after url decoding)?
I also think that it's a little bit strange to find, b
Hi Taras,
On Tue, May 19, 2009 at 11:59 PM, Taras P. Ivashchenko
wrote:
>
> How often in real there is such situation (when some input param is echoed
> back to the browser after url decoding)?
>
> I think it's a real risk and we should at least allow for a possibility to
test for it. I've seen
Hi, Dimitri!
Thanks for interesting in W3AF!
How often in real there is such situation (when some input param is echoed back
to the browser after url decoding)?
> Hi guys,
> I played with the w3af for the first time today. I'm specifically
> interested in the XSS scanning (crawling + fuzzing)
