Andres, hello! It looks that Combos processing task is complete.
Changed files: core/controllers/miscSettings.py core/data/dc/form.py core/data/parsers/htmlParser.py core/data/request/frFactory.py Now we can choose what values of selects and radio buttons will be processed: - only top (t) - only bottom (b) - top and bottom (tb) - top, middle and bottom (tmb) - is default - all values (all) On Thu, 2009-02-05 at 11:22 -0200, Andres Riancho wrote: > Taras, > > On Wed, Feb 4, 2009 at 7:56 PM, Taras P. Ivashchenko > <naplan...@gmail.com> wrote: > > Andres, > > > >> I've been thinking about the different ways to handle "long forms": > >> > >> - Random values: If we have a form with a lot of > >> combo/radio/select and the permutations of all of them exceed the > >> number of max permutations, one of the options would be to perform a > >> random choice of the combo box values and fuzz the other parameter. > >> The problem with that is that if the user scans the site again, after > >> finding something in a first scan, the probabilities say that he may > >> not find the vulnerability again! Example: > > ... > >> - Top and bottom values: If we have a form with a lot of > >> combo/radio/select and the permutations of all of them exceed the > >> number of max permutations, one of the options would be to select the > >> top and bottom values of the combo box and fuzz the other parameter. I > >> think that this is the best option and gives the highest code coverage > >> with the less requests. Example: > > ... > >> What do you think about the top/bottom idea? > > I like it! So it will be great if we will have 3 options for > > parsing/generating mutants: > > - all variants of form elements values > > - random values > > - top/bottom values > > I would remove the random values, because they'll be confusing for > people when they re-run a scan. I would leave: > > - all variants of form element values > - top/bottom values > - top/middle/bottom values (maybe this could be the default?) > > > As I think after I will finish develop the first option other two will > > be trivial. > > Yes, once you have one working... it's 10 more minutes of work+testing > to make the other one work. -- Тарас Иващенко (Taras Ivashchenko), OSCP www.securityaudit.ru ---- "Software is like sex: it's better when it's free." - Linus Torvalds
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
