Taras, On Sat, Jan 31, 2009 at 7:47 PM, Taras P. Ivashchenko <naplan...@gmail.com> wrote: > Hello, list! > > Today I research "HTML Combo boxes - Parsing & Fuzzing" Feature > Request[0]. > while parsing and generating fuzzable requests we remember last value of > select combo box in fuzzable request. > Example 1: > we have form like: > > - TEXT - someText > - SEX - > - male > - female > > we will have such mutants: > > - mutant 1: SEX=<script>alert(1)</script>&TEXT=someText > - mutant 2: SEX=female&TEXT=<script>alert(1)</script>
Yes, I did it this way, and I know it's bad... but... I had to start with something. If I did everything perfect from the beginning, I would never had any progress. > The idea of Feature Request is to remember all combo values and create > such mutants: > > - mutant 1: SEX=<script>alert(1)</script>&TEXT=someText > - mutant 2: SEX=male&TEXT=<script>alert(1)</script> > - mutant 3: SEX=female&TEXT=<script>alert(1)</script> Exactly! > But! What we will have if there will be 2 combo boxes in HTML page? > > Example 2: > - TEXT - someText > - SEX - > - male > - female > - HACKER - > - yes > - no > > We need to cover all variants: > - mutant 1: SEX=<script>alert(1)</script>&TEXT=someText&HACKER=yes > - mutant 2: SEX=<script>alert(1)</script>&TEXT=someText&HACKER=no > - mutant 3: SEX=male&TEXT=<script>alert(1)</script>&HACKER=yes > - mutant 4: SEX=female&TEXT=<script>alert(1)</script>&HACKER=yes > - mutant 5: SEX=male&TEXT=<script>alert(1)</script>&HACKER=no > - mutant 6: SEX=female&TEXT=<script>alert(1)</script>&HACKER=no > - mutant 7: SEX=female&TEXT=someText&HACKER=<script>alert(1)</script> > - mutant 8: SEX=male&TEXT=someText&HACKER=<script>alert(1)</script> > ... > What about 3 combos with 3 values and so on? What do you think about it? You should add a miscSetting that handles this; with some default like 10, or 20 combinations per form. > While review code today I also found that we does not process "checked" > and "selected" attributes of option tag and radio|check boxes. > May it will be better take into account these attributes instead of > generate a lot of variants of fuzzable requests ever with some limit > value for combo boxes? What if the HTML form doesn't even have something selected/checked? I think that the best way is to set a "nice and comfortable default" which users may change if they want to get a "100%" code coverage. @Taras: What do you think? @Everyone: Any ideas on how to handle this cases? Any ideas on how commercial tools handle this? Cheers, > [0]https://sourceforge.net/tracker2/?func=detail&aid=2248574&group_id=170274&atid=853655 > > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
