Taras,
On Sun, Mar 1, 2009 at 7:30 PM, Taras P. Ivashchenko
<naplan...@gmail.com> wrote:
> Andres, hello!
>
> It looks that Combos processing task is complete.
Excellent!
> Changed files:
>
> core/controllers/miscSettings.py
> core/data/dc/form.py
> core/data/parsers/htmlParser.py
> core/data/request/frFactory.py
>
> Now we can choose what values of selects and radio buttons will be
> processed:
> - only top (t)
> - only bottom (b)
> - top and bottom (tb)
> - top, middle and bottom (tmb) - is default
> - all values (all)
>
Could you please provide us with a set of HTML, PHP and w3af
script files to test the new features? I would like to add the scripts
to the "scripts" directory in w3af, and the HTML and PHP files inside
the "extras/testEnv/webroot/" directory somewhere.
After you provide us with that, I'll test the new feature and give
you my feedback.
Thanks for for contribution!!
Cheers,
>
> On Thu, 2009-02-05 at 11:22 -0200, Andres Riancho wrote:
>> Taras,
>>
>> On Wed, Feb 4, 2009 at 7:56 PM, Taras P. Ivashchenko
>> <naplan...@gmail.com> wrote:
>> > Andres,
>> >
>> >> I've been thinking about the different ways to handle "long forms":
>> >>
>> >> - Random values: If we have a form with a lot of
>> >> combo/radio/select and the permutations of all of them exceed the
>> >> number of max permutations, one of the options would be to perform a
>> >> random choice of the combo box values and fuzz the other parameter.
>> >> The problem with that is that if the user scans the site again, after
>> >> finding something in a first scan, the probabilities say that he may
>> >> not find the vulnerability again! Example:
>> > ...
>> >> - Top and bottom values: If we have a form with a lot of
>> >> combo/radio/select and the permutations of all of them exceed the
>> >> number of max permutations, one of the options would be to select the
>> >> top and bottom values of the combo box and fuzz the other parameter. I
>> >> think that this is the best option and gives the highest code coverage
>> >> with the less requests. Example:
>> > ...
>> >> What do you think about the top/bottom idea?
>> > I like it! So it will be great if we will have 3 options for
>> > parsing/generating mutants:
>> > - all variants of form elements values
>> > - random values
>> > - top/bottom values
>>
>> I would remove the random values, because they'll be confusing for
>> people when they re-run a scan. I would leave:
>>
>> - all variants of form element values
>> - top/bottom values
>> - top/middle/bottom values (maybe this could be the default?)
>>
>> > As I think after I will finish develop the first option other two will
>> > be trivial.
>>
>> Yes, once you have one working... it's 10 more minutes of work+testing
>> to make the other one work.
>
> --
> Тарас Иващенко (Taras Ivashchenko), OSCP
> www.securityaudit.ru
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
