Fabrizio,
On Tue, Apr 28, 2009 at 12:48 PM, Fabrizio Francione
<lordfa...@hotmail.it> wrote:
>
>
> Date: Tue, 28 Apr 2009 17:38:32 +0200
> I was joking . I wish they are ok.
>
I just read the code, here are my comments:
- You shouldn't change the name of the files, you changed
buffOverflow.py to bufferOverflow.py
- In most cases (just to put an example, line 76 of dav.py) you are
using tabs to indent your code. PEP-8 (which we try to follow) says
that python code should be indented using 4 spaces. You need to
configure your text editor, or IDE in order to do that.
- The main idea of the highlighting is to highlight the part of the
response that was marked as "insecure". So, highlighting things in the
request, like:
* v.addToHighlight( freq.getURL() )
* v.addToHighlight( domain_path )
Make no sense.
- For example, in the "def _SEARCH( self, domain_path ):" method, I
would have tried to do the following:
* Create a regular expression to replace "content_matches",
which would look something like:
re.compile('(<a:response>)|(<a:status>)|(xmlns:a="DAV:")')
* Then you would match that to the string
* And finally, if there is a match, you would highlight the
matching string, which you would get with something like
match.groups(0)
You are on the right path, please try to follow these simple items,
and re-send the plugins. Please re-send in this same thread.
PS: Please use inline method to answer emails,
>
> Francione Fabrizio
>
>
>
>
>> Date: Tue, 28 Apr 2009 12:26:57 -0300
>> Subject: Re: [W3af-develop] contribution
>> From: andres.rian...@gmail.com
>> To: lordfa...@hotmail.it
>>
>> Fabrizio,
>>
>> On Tue, Apr 28, 2009 at 12:12 PM, Fabrizio Francione
>> <lordfa...@hotmail.it> wrote:
>> > ok i'm working on audit.bufferOverflow.py and audit.dav.py. As soon i've
>> > finished i'll post you the two files compiled.
>>
>> No need to compile anything it's python =)
>> Just send me the bufferOverflow.py and dav.py files.
>>
>> > Francione Fabrizio
>> >
>> >
>> >
>> >
>> >> Date: Tue, 28 Apr 2009 11:45:28 -0300
>> >> Subject: Re: [W3af-develop] contribution
>> >> From: andres.rian...@gmail.com
>> >> To: lordfa...@hotmail.it
>> >> CC: w3af-develop@lists.sourceforge.net
>> >>
>> >> Fabrizio,
>> >>
>> >> On Tue, Apr 28, 2009 at 11:41 AM, Fabrizio Francione
>> >> <lordfa...@hotmail.it> wrote:
>> >> > yes, i can try.audit core is in w3af/plugins/audit right?
>> >>
>> >> Yes, the audit plugins are in w3af/plugins/audit. Please work with the
>> >> latest version from the SVN, which is available for download issuing
>> >> the command:
>> >>
>> >> svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af
>> >>
>> >> For starters, please modify two plugins (you choose which) and send
>> >> them to me for review, I'll commit your changes to the SVN. After
>> >> that, we'll keep on working that way until you manage to add that
>> >> feature to all audit plugins.
>> >>
>> >> Thanks!
>> >>
>> >> PS: Please answer the emails inline.
>> >>
>> >> > Francione Fabrizio
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >> Date: Tue, 28 Apr 2009 10:39:13 -0300
>> >> >> Subject: Re: [W3af-develop] contribution
>> >> >> From: andres.rian...@gmail.com
>> >> >> To: lordfa...@hotmail.it
>> >> >> CC: w3af-develop@lists.sourceforge.net
>> >> >>
>> >> >> Fabrizio,
>> >> >>
>> >> >> On Tue, Apr 28, 2009 at 10:21 AM, Fabrizio Francione
>> >> >> <lordfa...@hotmail.it> wrote:
>> >> >> >
>> >> >> > Hello everybody!
>> >> >> >
>> >> >> > How can i help you in this cool project ,w3af?
>> >> >>
>> >> >> Thanks for considering contributing with the w3af project. We are
>> >> >> always looking for new people to help us improve w3af and achieve to
>> >> >> the highest levels of quality.
>> >> >>
>> >> >> One of the latest features that were added to w3af, was the
>> >> >> highlighting of the text from which the vulnerability was
>> >> >> identified.
>> >> >> You should have noted this in the results tab of the GUI, in the
>> >> >> response of each of the grep plugins you'll see how the "vulnerable
>> >> >> string" was highlighted.
>> >> >>
>> >> >> For example, if a request is made to the server, and the
>> >> >> grep.privateIP finds a private IP address, you'll be able to see
>> >> >> that
>> >> >> IP address highlighted in the response part of the results tab.
>> >> >>
>> >> >> To highlight a text in the GUI, you need to set the following to the
>> >> >> info or vuln object: "v.addToHighlight( match )". Here is a small
>> >> >> copy+paste from the grep.privateIP plugin:
>> >> >>
>> >> >> """
>> >> >> v = vuln.vuln()
>> >> >> v.setURL( response.getURL() )
>> >> >> v.setId( response.id )
>> >> >> v.setSeverity(severity.LOW)
>> >> >> v.setName( 'Private IP disclosure vulnerability' )
>> >> >>
>> >> >> msg = 'The URL: "' + v.getURL() + '" returned an
>> >> >> HTTP header '
>> >> >> msg += 'with an IP address: "' + match + '".'
>> >> >> v.setDesc( msg )
>> >> >> v['IP'] = match
>> >> >> v.addToHighlight( match )
>> >> >> """
>> >> >>
>> >> >> Your task, if you want to accept it, is really simple: add the
>> >> >> "addToHighlight" method, with the corresponding parameter, to all
>> >> >> audit plugins. For example, in the audit.sqli plugin, after line
>> >> >> #84,
>> >> >> you would need to add something like "v.addToHighlight( sql_error
>> >> >> )".
>> >> >>
>> >> >> What do you think about the task? Will you be able to perform it?
>> >> >>
>> >> >> > I know some c,html and java.
>> >> >>
>> >> >> Cool, this will help,
>> >> >>
>> >> >> > thanks!
>> >> >>
>> >> >> Thank you!
>> >> >>
>> >> >> > bye!
>> >> >> > Francione Fabrizio
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > ________________________________
>> >> >> > È arrivato il nuovo Messenger! Provalo subito
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > ------------------------------------------------------------------------------
>> >> >> > Register Now & Save for Velocity, the Web Performance & Operations
>> >> >> > Conference from O'Reilly Media. Velocity features a full day of
>> >> >> > expert-led, hands-on workshops and two days of sessions from
>> >> >> > industry
>> >> >> > leaders in dedicated Performance & Operations tracks. Use code
>> >> >> > vel09scf
>> >> >> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> >> >> > _______________________________________________
>> >> >> > W3af-develop mailing list
>> >> >> > W3af-develop@lists.sourceforge.net
>> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Andrés Riancho
>> >> >> http://www.bonsai-sec.com/
>> >> >> http://w3af.sourceforge.net/
>> >> >
>> >> > ________________________________
>> >> > Il remix esclusivo di Messenger. Scaricalo gratis!
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > Register Now & Save for Velocity, the Web Performance & Operations
>> >> > Conference from O'Reilly Media. Velocity features a full day of
>> >> > expert-led, hands-on workshops and two days of sessions from industry
>> >> > leaders in dedicated Performance & Operations tracks. Use code
>> >> > vel09scf
>> >> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> >> > _______________________________________________
>> >> > W3af-develop mailing list
>> >> > W3af-develop@lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> http://www.bonsai-sec.com/
>> >> http://w3af.sourceforge.net/
>> >
>> > ________________________________
>> > 25 GB di spazio gratuito su Internet! Prova SkyDrive
>> >
>> > ------------------------------------------------------------------------------
>> > Register Now & Save for Velocity, the Web Performance & Operations
>> > Conference from O'Reilly Media. Velocity features a full day of
>> > expert-led, hands-on workshops and two days of sessions from industry
>> > leaders in dedicated Performance & Operations tracks. Use code vel09scf
>> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3af-develop@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> http://www.bonsai-sec.com/
>> http://w3af.sourceforge.net/
>
> ________________________________
> Dillo con le Emoticon! Scarica il nuovo Messenger 2009
> ________________________________
> 25 GB di spazio gratuito su Internet! Prova SkyDrive
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
