Viktor,
On Tue, Dec 23, 2008 at 3:00 PM, Viktor Gazdag <woodsp...@gmail.com> wrote:
> 2008/12/23 Andres Riancho <andres.rian...@gmail.com>
>>
>> Viktor,
>>
>> On Mon, Dec 22, 2008 at 6:29 PM, Viktor Gazdag <woodsp...@gmail.com>
>> wrote:
>> > Hello Andres!
>> >
>> >
>> > I hope this will be the latest version of the frontpage_version plugin.
>> > :)
>> > Check it when you have time and tell me if something is missing.
>> >
>>
>> You are getting better, and your code looks nice in every new
>> contribution you make, but... the plugin is still a little messy in
>> some places, some examples:
>>
>> - You define "_exec_one_time" inside "__init__" and you read it's
>> value inside "discover", but you never change the value, so... why is
>> it there? I think that "self._exec_one_time" should be removed, and
>> "self._exec" should be set to False only after finding "_vti_inf.html"
>> inside any of the directories that are passed as a parameter.
>>
>> - If I run pylint against your code, it shields hundreds of warnings
>> about bad indentation! The command I'm running is:
>> d...@brick:~/w3af/w3af/trunk$ pylint --rcfile=../extras/misc/pylint.rc
>> plugins/discovery/frontpage_version.py
>>
>> - In the cases in which the "_vti_inf.html" page exists, I think that
>> we should have some code that looks something like this:
>>
>> for match in [frontpage_version, frontpage_admin, frontpage_author]:
>> if not match:
>> # This is wierd... we found a _vti_inf file, but there is no
>> frontpage
>> # information in it... IPS? WAF? honeypot?
>> i = info.info()
>> i.setId( response.id )
>> i.setName( 'Fake FrontPage Configuration Information' )
>> i.setURL( response.getURL() )
>> desc = 'A fake FrontPage Configuration Information file was found
>> at: "'
>> desc += i.getURL()
>> desc += '". This may be an indication of a honeypot, a WAF or an
>> IPS.'
>> i.setDesc( desc )
>> kb.kb.append( self, 'fake_frontpage', i )
>> om.out.information( i.getDesc() )
>>
>> I think that w3af should also warn about anomalies, and this would be
>> one of those =) What do you think?
>
> I hate that indentation thing! :) I fixed the warnings and the self._exec,
> but maybe not the right place. I wrote the three if in one, but that match
> thing won't work.
Have you really tested this plugin? I run pylint against your plugin
and this is what I get:
d...@brick:~/w3af/w3af/trunk$ pylint --rcfile=../extras/misc/pylint.rc
plugins/discovery/frontpage_version.py -e
E: 58:frontpage_version.discover: Undefined variable 'w3afRunOnce'
Also, there is an error here:
#Get the FPAdminScript url
frontpage_admin = re.findall(regex_admin,
response.getBody(), re.IGNORECASE)[0][:-9]
#Get the FPAuthorScript url
frontpage_author = re.findall(regex_author,
response.getBody(), re.IGNORECASE)[0][:-10]
What if there is no match? The [0] would fail and the plugin would crash.
I don't mean to be rude but... you have to test your plugins much
more. With cases where it is supposed to find stuff, and with cases in
which nothing is found. In other words, you have to perform tests with
a WIDE code coverage.
I modified the plugin and commited it to the SVN. Please, PLEASE read
the modifications and understand what you did wrong.
Cheers,
>>
>> Cheers,
>> --
>> Andres Riancho
>> http://w3af.sourceforge.net/
>> Web Application Attack and Audit Framework
>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
