Andres, > You should add a miscSetting that handles this; with some default like > 10, or 20 combinations per form.
Yes, but it will be strange parameter :) I will try to develop this algorithm. As I think it will be similar to password generation for some password length and custom alphabet. > > > While review code today I also found that we does not process "checked" > > and "selected" attributes of option tag and radio|check boxes. > > May it will be better take into account these attributes instead of > > generate a lot of variants of fuzzable requests ever with some limit > > value for combo boxes? > > What if the HTML form doesn't even have something selected/checked? I > think that the best way is to set a "nice and comfortable default" > which users may change if they want to get a "100%" code coverage. But it will be good to take into account in some circumstances existing of this information, isn't it? It can be default values of form params. -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
