Olle, Achim,
On Fri, Mar 13, 2009 at 8:38 AM, Achim Hoffmann <a...@securenet.de> wrote:
> !! > When a server redirects requests with a 302, vhost discovery gets
> confused.
> !!
> !! So the bug is basically that w3af follows 302 redirects off-site.
> !! This could potentially be problematic in other cases as well.
> !!
> !! This bug also means that you get false positives for vhost discovery when
> !! the tested vhost exists and the target host redirects requests for "/".
>
> there should be a list of valid destination to follow, as well as a redirect
> limit (default 5 or so).
hmmm, I'm thinking about adding these new features to the redirection
handler (logHandler.py):
- Follow/No-Follow redirects: at this point, w3af ALWAYS follows redirects.
- List of target domains that are allowed to be followed: I'm thinking
about... *.target.tld
With the second feature, when requesting:
GET https://target/ HTTP/1.1
Host: iDoNotExistPleaseGoAwayNowOrDieRhYC
The findvhost plugin gets back this from the xUrllib library:
HTTP/1.1 302 Moved Temporarily
content-length: 0
expires: Thu, 01 Jan 1970 01:00:00 CET
server: Apache-Coyote/1.1
location: https://iDoNotExistPleaseGoAwayNowOrDieRhYC/secure/login.jsp
pragma: No-cache
cache-control: no-cache
date: Fri, 13 Mar 2009 08:54:33 GMT
content-type: text/html;charset=UTF-8
Which seems to have an empty body, and that empty body will be tagged
as "the response the webservers gives me when I access an invalid
Host". After that, the plugin will send something like:
GET https://target/ HTTP/1.1
Host: intranet
And the server would answer with something like:
302...
location: https://intranet/secure/login.jsp
Which will also have an empty body, and will match the previous
"iDoNotExistPleaseGoAwayNowOrDieRhYC" request, and also tagged as
non-existant. Now... what if "extranet" actually exists on the server,
and we are also redirected to the extranet login page?
GET https://target/ HTTP/1.1
Host: extranet
302...
location: https://extranet/extranet-login.jsp
The xUrllib wouldn't follow this link, a blank body would match the
"iDoNotExistPleaseGoAwayNowOrDieRhYC", and we get ourselves a nice
false negative. So, the logic in the findvhost plugin has to change,
and analyze 302 responses in depth, and maybe even perform a second
request like this one:
GET https://target/extranet-login.jsp HTTP/1.1
Host: extranet
200...
<html>....</html>
Then, we would get something completely different from the empty body
returned by "iDoNotExistPleaseGoAwayNowOrDieRhYC", and we would tag
"extranet" as a valid vhost.
What do you guys think? Would this work? Is my logic ok? Please help!
Cheers,
> Achim
>
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
