Aaron, On Thu, Apr 16, 2009 at 8:10 PM, Aaron Peterson <aa...@midnightresearch.com> wrote: > Hi Andres: > > We talked on IRC a couple weeks ago about how I might be able to help out > w3af, > and you gave me an easy bug that didn't require much knowledge of the > internals > to fix. > > http://sourceforge.net/tracker/?func=detail&aid=2675986&group_id=170274&atid=853652 > > I'm attaching a small patch that should fix it. There was a statement > validating some of the page content a couple lines up from this one, but since > it was a logically different check I just added a new statement.
Thank you very much for the contribution, your patch is extremely simple, I was thinking about doing it in a MUCH more complicated and stupid way. Here is a transcription of what we talked about on IRC: <dz0> what happens if there is an IP addres <dz0> a private ip address <dz0> that's not the IP address of the local system that's running w3af <dz0> and there is a X-Forwarded-For printed for some reason <dz0> the html would look like: <dz0> """ <dz0> X-Forwarded-For: 192.168.1.1 <dz0> f00 <dz0> b4r <dz0> 10.0.0.1 <dz0> """ <dz0> where 10.0.0.1 is the private IP address of the web server <dz0> and 192.168.1.1 is the private ip address of the w3af host <dz0> I think that we could do a nicer match <dz0> and don't ignore all htmls that have the X-Forwarded-For string <dz0> we should follow this logic: <dz0> - find all private ip addresses <dz0> - for each private ip, check if in the same line, there is an X-Forwarded-For: <dz0> - if no X-Forwarded-For: in the same line (before the IP), then we found something <dz0> - if the ip address is preceeded by "X-Forwarded-For:", then ignore it <aaronp__> yeah, that makes sense <dz0> that would be a little better, and there is no performance hit <aaronp__> I'll check into doing that method instead <aaronp__> true <aaronp__> and no false-negatives as a result <dz0> because we only check for the "X-Forwarded-For:" before xyz, WHEN we find an ip address <dz0> yes, and no false negatives (or... not as many as with the other solution) > Anyway, sorry it took so long to get it to you, things were more busy than I > expected. I'd like to do some more things to help out if possible. Let me > know if there are any other relatively contained bugs I can help with until I > get a better feel for the framework. No problem, this is open source and contributing is what counts, not when you do it. After we discuss the idea I proposed before, or you code it, I'll give one more small bug to fix =) Once again, thank you for contributing, > > Thanks, > > Aaron > > ps. Also, let me know if you'd prefer .diff's in a different format in the > future No, diffs are ok like this, > ------------------------------------------------------------------------------ > Stay on top of everything new and different, both inside and > around Java (TM) technology - register by April 22, and save > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. > 300 plus technical and hands-on sessions. Register today. > Use priority code J9JMT32. http://p.sf.net/sfu/p > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
