Taras,
On Sun, Feb 1, 2009 at 4:24 PM, Taras P. Ivashchenko
<naplan...@gmail.com> wrote:
> Andres,
>
>> You should add a miscSetting that handles this; with some default like
>> 10, or 20 combinations per form.
>
> Yes, but it will be strange parameter :)
With the right explanation, any parameter can be understood by the users.
> I will try to develop this
> algorithm. As I think it will be similar to password generation for some
> password length and custom alphabet.
It shouldn't be a problem!
>>
>> > While review code today I also found that we does not process "checked"
>> > and "selected" attributes of option tag and radio|check boxes.
>> > May it will be better take into account these attributes instead of
>> > generate a lot of variants of fuzzable requests ever with some limit
>> > value for combo boxes?
>>
>> What if the HTML form doesn't even have something selected/checked? I
>> think that the best way is to set a "nice and comfortable default"
>> which users may change if they want to get a "100%" code coverage.
>
> But it will be good to take into account in some circumstances existing
> of this information, isn't it? It can be default values of form params.
Yes, you're right.
I've been thinking about the different ways to handle "long forms":
- Random values: If we have a form with a lot of
combo/radio/select and the permutations of all of them exceed the
number of max permutations, one of the options would be to perform a
random choice of the combo box values and fuzz the other parameter.
The problem with that is that if the user scans the site again, after
finding something in a first scan, the probabilities say that he may
not find the vulnerability again! Example:
Form:
- Combo [Country] (Argentina,USA,Russia,Germany,Zimbawe)
- Combo [Born] (1900,1901,...2009)
- Text input [Name]
Mutants generated randomly in scan #1; where max number of mutants is 3:
- country=<script>alert(1)</script>&born=1982&name=
- country=Argentina&born=<script>alert(1)</script>&name=
- country=USA&born=2000&name=<script>alert(1)</script>
Mutants generated randomly in scan #2; where max number of mutants is 3:
- country=<script>alert(1)</script>&born=1903&name=
- country=Russia&born=<script>alert(1)</script>&name=
- country=Germany&born=1932&name=<script>alert(1)</script>
The vulnerability may be triggered by
"country=USA&born=2000&name=<script>alert(1)</script>" because
underage kids don't get access; but that won't be triggered with
"country=Germany&born=1932&name=<script>alert(1)</script>".
- Top and bottom values: If we have a form with a lot of
combo/radio/select and the permutations of all of them exceed the
number of max permutations, one of the options would be to select the
top and bottom values of the combo box and fuzz the other parameter. I
think that this is the best option and gives the highest code coverage
with the less requests. Example:
Form:
- Combo [Country] (Argentina,USA,Russia,Germany,Zimbawe)
- Combo [Born] (1900,1901,...2009)
- Text input [Name]
Mutants generated in scan #1 (the same ones will be generated in scan #2):
- country=<script>alert(1)</script>&born=1900&name=
- country=<script>alert(1)</script>&born=2009&name=
- country=Argentina&born=<script>alert(1)</script>&name=
- country=Zimbawe&born=<script>alert(1)</script>&name=
- country=Argentina&born=1900&name=<script>alert(1)</script>
- country=Argentina&born=2009&name=<script>alert(1)</script>
- country=Zimbawe&born=1900&name=<script>alert(1)</script>
- country=Zimbawe&born=2009&name=<script>alert(1)</script>
Also, if you feel like testing it; you could choose the top value
(Argentina), the middle value (Germany) and the bottom value
(Zimbawe); and perform combinations with the three of them.
What do you think about the top/bottom idea?
Cheers,
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
