List,
I just added a new feature for the framework, support for
"repeated parameter names". I was analyzing a website and I realized
that it was using something *really* wierd:
http://host.tld/index.do?sp=1&sp=spam&sp=eggs
And for example, I was able to manually find a XSS in the second
"sp" parameter. w3af wasn't able to analyze the website, because it
didn't support repeated parameter names, and parsed links like the one
above as:
http://host.tld/index.do?sp=eggs
Which triggered a bug in the web application, because it was
trying to access "$sp[1]" and "$sp[2]" and they were not there. The
bug that I triggered was nice... but I wanted to be able to find the
XSS. After some small searching, I realized the repeated parameter
names are actually a valid thing in the RFC, and is supported by
browsers, etc.
I just commited the change to the trunk, a lot of files were
modified, this means that a lot of bugs may have been added... so...
be patient, and report them. If you want a stable version, use the one
in the "branches/1.0" SVN directory.
Cheers,
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
