Kevin, On Wed, Dec 10, 2008 at 7:26 AM, Muffys Wump <[EMAIL PROTECTED]> wrote: > > Hi, > >> Date: Tue, 9 Dec 2008 23:08:21 -0200 >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Subject: Re: Exporting Fuzzable Requests >> >> Muffys, >> >> On Tue, Dec 9, 2008 at 2:04 PM, Muffys Wump wrote: >>> >>> Hi Andres, >>> >>> I've built an export functionality for fuzzable requests. >>> >>> I know there is a importResult plugin but I couldn't find the export. >>> This patch allows to specify a filename in the miscSettings in which all the >>> requests (found by the discovery plugins) get exported (CSV). You can >>> import them later using the importResult plugin if you like. >>> >>> This is usefull if you only want to spider a site once, but scan it >>> frequently. Or if you want >>> to use the requests in other tools like sqlmap. I needed this for a current >>> project I'm working on. >>> >>> I hope it's usefull for someone. >> >> EXCELLENT work dude! >> I have one good thing and one bad thing to say: >> >> 1) The bad one: Why are you doing this? >> >> + for i in self._dc: >> + strRes += i + '&' !!!!!!!!! >> + strRes = strRes[: -1] >> + strRes += ',' >> + else: >> + strRes += self._url + ',' >> + if self._dc: >> + for i in self._dc: >> + strRes += i + '=1&' !!!!!!!!!!! >> >> I would make much more sense to me (and I'll tell you later why) to do >> something like this: >> >> + for i in self._dc: >> + strRes += i + '=' + str(self_dc[i]) + '&' >> + strRes = strRes[: -1] >> + strRes += ',' >> + else: >> + strRes += self._url + ',' >> + if self._dc: >> + for i in self._dc: >> + strRes += i + '=' + str(self_dc[i]) + '&' >> >> In some cases, the fuzzer uses the current value of the parameter to >> fuzz it in a different way. For example, if the current value is >> something like: 1, then the blind sql injection detection will try the >> unquoted injection first. If you don't save the value of the fuzzable >> request, then the data is lost and w3af will have to make some more >> requests to achieve the same results. > > Ahh. I was wondering where the values are ;) Thanks for the hint. I'll change > that immediately.
=) >> >> 2) The good one: Do you want SVN access? Please tell me your >> sourceforge username, and I'll add you to the commiters list =) >> > > I made an account this morning. My username is: kdenver Done! Now you have commit access to the SVN. Please, use this privilege with care, a lot of people use the SVN version at work. If you are going to perform a big change, you should create a branch and work there. Only commit things that you are 100% sure that work, and if you aren't sure, send an email to the develop mailing list. I advise you to subscribe to the svn-notify mailing list of the w3af project, where you are going to see all the commits that other contributors made every day. This mailing list is the way I audit the changes you are going to perform. Every time you commit something, I'll read the changes and send you my feedback, which hopefully will be always good words to keep the team motivated =) If you ever make a mistake, I won't fix it for you, by fixing your mistakes you'll learn much more. Please be extra careful when you modify something in the w3afCore, because that could break a lot of things. As I said before, only commit things that you are 100% sure that work in ALL cases. With all that said... WELCOME TO THE W3AF TEAM! =) Cheers, PS: If you want your real name to be added to the contributors file of the project, please send it to me! >> After you are added to the list, and you fix the 1) problem, please >> commit your patch! >> >> Once again, thanks for your contributions, they are very valuable and >> are going to help the project a lot! >> >> Cheers, >> >>> Cheers, >>> Kevin >>> > > Thank you very much! > > Cheers, > Kevin > >>> _________________________________________________________________ >>> Explore the seven wonders of the world >>> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE >> >> >> >> -- >> Andres Riancho >> http://w3af.sourceforge.net/ >> Web Application Attack and Audit Framework > > _________________________________________________________________ > Connect to the next generation of MSN Messenger > http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ W3af-develop mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-develop
