Fabrizio,
On Tue, Apr 28, 2009 at 1:44 PM, Fabrizio Francione
<lordfa...@hotmail.it> wrote:
>
> So..
>
> 1) In most cases (just to put an example, line 76 of dav.py) you are
>> using tabs to indent your code. PEP-8 (which we try to follow) says
>> that python code should be indented using 4 spaces. You need to
>> configure your text editor, or IDE in order to do that.
>
> i was using gedit from linux and now i'll use emacs, but...sorry but i
> don't understand the meaning.
>
>
> 2)- For example, in the "def _SEARCH( self, domain_path ):" method, I
>> would have tried to do the following:
>> * Create a regular expression to replace "content_matches",
>> which would look something like:
>> re.compile('(<a:response>)|(<a:status>)|(xmlns:a="DAV:")')
>> * Then you would match that to the string
>> * And finally, if there is a match, you would highlight the
>> matching string, which you would get with something like
>> match.groups(0)
>
> Why recompile content_matches?i thought it was ok but..ok i can change the
> name and match another name to the other string but what's the effective
> change?
Please re-read my last email, take it easy, read PEP-8 if you need to.
Also, please re-read the part of the regular expressions. Take it
easy, nobody is rushing you to send me the patched plugins =)
> thanks,
>
>
>
> Francione Fabrizio
>
>
>
>
>> Date: Tue, 28 Apr 2009 13:10:21 -0300
>> Subject: Re: [W3af-develop] dav.py bufferOverflow.py
>> From: andres.rian...@gmail.com
>> To: lordfa...@hotmail.it
>> CC: w3af-develop@lists.sourceforge.net
>>
>> Fabrizio,
>>
>> On Tue, Apr 28, 2009 at 12:48 PM, Fabrizio Francione
>> <lordfa...@hotmail.it> wrote:
>> >
>> >
>> > Date: Tue, 28 Apr 2009 17:38:32 +0200
>> > I was joking . I wish they are ok.
>> >
>>
>> I just read the code, here are my comments:
>>
>> - You shouldn't change the name of the files, you changed
>> buffOverflow.py to bufferOverflow.py
>> - In most cases (just to put an example, line 76 of dav.py) you are
>> using tabs to indent your code. PEP-8 (which we try to follow) says
>> that python code should be indented using 4 spaces. You need to
>> configure your text editor, or IDE in order to do that.
>> - The main idea of the highlighting is to highlight the part of the
>> response that was marked as "insecure". So, highlighting things in the
>> request, like:
>> * v.addToHighlight( freq.getURL() )
>> * v.addToHighlight( domain_path )
>> Make no sense.
>>
>> - For example, in the "def _SEARCH( self, domain_path ):" method, I
>> would have tried to do the following:
>> * Create a regular expression to replace "content_matches",
>> which would look something like:
>> re.compile('(<a:response>)|(<a:status>)|(xmlns:a="DAV:")')
>> * Then you would match that to the string
>> * And finally, if there is a match, you would highlight the
>> matching string, which you would get with something like
>> match.groups(0)
>>
>> You are on the right path, please try to follow these simple items,
>> and re-send the plugins. Please re-send in this same thread.
>>
>> PS: Please use inline method to answer emails,
>>
>> >
>> > Francione Fabrizio
>> >
>> >
>> >
>> >
>> >> Date: Tue, 28 Apr 2009 12:26:57 -0300
>> >> Subject: Re: [W3af-develop] contribution
>> >> From: andres.rian...@gmail.com
>> >> To: lordfa...@hotmail.it
>> >>
>> >> Fabrizio,
>> >>
>> >> On Tue, Apr 28, 2009 at 12:12 PM, Fabrizio Francione
>> >> <lordfa...@hotmail.it> wrote:
>> >> > ok i'm working on audit.bufferOverflow.py and audit.dav.py. As soon
>> >> > i've
>> >> > finished i'll post you the two files compiled.
>> >>
>> >> No need to compile anything it's python =)
>> >> Just send me the bufferOverflow.py and dav.py files.
>> >>
>> >> > Francione Fabrizio
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >> Date: Tue, 28 Apr 2009 11:45:28 -0300
>> >> >> Subject: Re: [W3af-develop] contribution
>> >> >> From: andres.rian...@gmail.com
>> >> >> To: lordfa...@hotmail.it
>> >> >> CC: w3af-develop@lists.sourceforge.net
>> >> >>
>> >> >> Fabrizio,
>> >> >>
>> >> >> On Tue, Apr 28, 2009 at 11:41 AM, Fabrizio Francione
>> >> >> <lordfa...@hotmail.it> wrote:
>> >> >> > yes, i can try.audit core is in w3af/plugins/audit right?
>> >> >>
>> >> >> Yes, the audit plugins are in w3af/plugins/audit. Please work with
>> >> >> the
>> >> >> latest version from the SVN, which is available for download issuing
>> >> >> the command:
>> >> >>
>> >> >> svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af
>> >> >>
>> >> >> For starters, please modify two plugins (you choose which) and send
>> >> >> them to me for review, I'll commit your changes to the SVN. After
>> >> >> that, we'll keep on working that way until you manage to add that
>> >> >> feature to all audit plugins.
>> >> >>
>> >> >> Thanks!
>> >> >>
>> >> >> PS: Please answer the emails inline.
>> >> >>
>> >> >> > Francione Fabrizio
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >> Date: Tue, 28 Apr 2009 10:39:13 -0300
>> >> >> >> Subject: Re: [W3af-develop] contribution
>> >> >> >> From: andres.rian...@gmail.com
>> >> >> >> To: lordfa...@hotmail.it
>> >> >> >> CC: w3af-develop@lists.sourceforge.net
>> >> >> >>
>> >> >> >> Fabrizio,
>> >> >> >>
>> >> >> >> On Tue, Apr 28, 2009 at 10:21 AM, Fabrizio Francione
>> >> >> >> <lordfa...@hotmail.it> wrote:
>> >> >> >> >
>> >> >> >> > Hello everybody!
>> >> >> >> >
>> >> >> >> > How can i help you in this cool project ,w3af?
>> >> >> >>
>> >> >> >> Thanks for considering contributing with the w3af project. We are
>> >> >> >> always looking for new people to help us improve w3af and achieve
>> >> >> >> to
>> >> >> >> the highest levels of quality.
>> >> >> >>
>> >> >> >> One of the latest features that were added to w3af, was the
>> >> >> >> highlighting of the text from which the vulnerability was
>> >> >> >> identified.
>> >> >> >> You should have noted this in the results tab of the GUI, in the
>> >> >> >> response of each of the grep plugins you'll see how the
>> >> >> >> "vulnerable
>> >> >> >> string" was highlighted.
>> >> >> >>
>> >> >> >> For example, if a request is made to the server, and the
>> >> >> >> grep.privateIP finds a private IP address, you'll be able to see
>> >> >> >> that
>> >> >> >> IP address highlighted in the response part of the results tab.
>> >> >> >>
>> >> >> >> To highlight a text in the GUI, you need to set the following to
>> >> >> >> the
>> >> >> >> info or vuln object: "v.addToHighlight( match )". Here is a small
>> >> >> >> copy+paste from the grep.privateIP plugin:
>> >> >> >>
>> >> >> >> """
>> >> >> >> v = vuln.vuln()
>> >> >> >> v.setURL( response.getURL() )
>> >> >> >> v.setId( response.id )
>> >> >> >> v.setSeverity(severity.LOW)
>> >> >> >> v.setName( 'Private IP disclosure vulnerability' )
>> >> >> >>
>> >> >> >> msg = 'The URL: "' + v.getURL() + '" returned an
>> >> >> >> HTTP header '
>> >> >> >> msg += 'with an IP address: "' + match + '".'
>> >> >> >> v.setDesc( msg )
>> >> >> >> v['IP'] = match
>> >> >> >> v.addToHighlight( match )
>> >> >> >> """
>> >> >> >>
>> >> >> >> Your task, if you want to accept it, is really simple: add the
>> >> >> >> "addToHighlight" method, with the corresponding parameter, to all
>> >> >> >> audit plugins. For example, in the audit.sqli plugin, after line
>> >> >> >> #84,
>> >> >> >> you would need to add something like "v.addToHighlight( sql_error
>> >> >> >> )".
>> >> >> >>
>> >> >> >> What do you think about the task? Will you be able to perform it?
>> >> >> >>
>> >> >> >> > I know some c,html and java.
>> >> >> >>
>> >> >> >> Cool, this will help,
>> >> >> >>
>> >> >> >> > thanks!
>> >> >> >>
>> >> >> >> Thank you!
>> >> >> >>
>> >> >> >> > bye!
>> >> >> >> > Francione Fabrizio
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > ________________________________
>> >> >> >> > È arrivato il nuovo Messenger! Provalo subito
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > ------------------------------------------------------------------------------
>> >> >> >> > Register Now & Save for Velocity, the Web Performance &
>> >> >> >> > Operations
>> >> >> >> > Conference from O'Reilly Media. Velocity features a full day of
>> >> >> >> > expert-led, hands-on workshops and two days of sessions from
>> >> >> >> > industry
>> >> >> >> > leaders in dedicated Performance & Operations tracks. Use code
>> >> >> >> > vel09scf
>> >> >> >> > and Save an extra 15% before 5/3.
>> >> >> >> > http://p.sf.net/sfu/velocityconf
>> >> >> >> > _______________________________________________
>> >> >> >> > W3af-develop mailing list
>> >> >> >> > W3af-develop@lists.sourceforge.net
>> >> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Andrés Riancho
>> >> >> >> http://www.bonsai-sec.com/
>> >> >> >> http://w3af.sourceforge.net/
>> >> >> >
>> >> >> > ________________________________
>> >> >> > Il remix esclusivo di Messenger. Scaricalo gratis!
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > ------------------------------------------------------------------------------
>> >> >> > Register Now & Save for Velocity, the Web Performance & Operations
>> >> >> > Conference from O'Reilly Media. Velocity features a full day of
>> >> >> > expert-led, hands-on workshops and two days of sessions from
>> >> >> > industry
>> >> >> > leaders in dedicated Performance & Operations tracks. Use code
>> >> >> > vel09scf
>> >> >> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> >> >> > _______________________________________________
>> >> >> > W3af-develop mailing list
>> >> >> > W3af-develop@lists.sourceforge.net
>> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Andrés Riancho
>> >> >> http://www.bonsai-sec.com/
>> >> >> http://w3af.sourceforge.net/
>> >> >
>> >> > ________________________________
>> >> > 25 GB di spazio gratuito su Internet! Prova SkyDrive
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > Register Now & Save for Velocity, the Web Performance & Operations
>> >> > Conference from O'Reilly Media. Velocity features a full day of
>> >> > expert-led, hands-on workshops and two days of sessions from industry
>> >> > leaders in dedicated Performance & Operations tracks. Use code
>> >> > vel09scf
>> >> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> >> > _______________________________________________
>> >> > W3af-develop mailing list
>> >> > W3af-develop@lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> http://www.bonsai-sec.com/
>> >> http://w3af.sourceforge.net/
>> >
>> > ________________________________
>> > Dillo con le Emoticon! Scarica il nuovo Messenger 2009
>> > ________________________________
>> > 25 GB di spazio gratuito su Internet! Prova SkyDrive
>> >
>> > ------------------------------------------------------------------------------
>> > Register Now & Save for Velocity, the Web Performance & Operations
>> > Conference from O'Reilly Media. Velocity features a full day of
>> > expert-led, hands-on workshops and two days of sessions from industry
>> > leaders in dedicated Performance & Operations tracks. Use code vel09scf
>> > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3af-develop@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> http://www.bonsai-sec.com/
>> http://w3af.sourceforge.net/
>
> ________________________________
> Dillo con le Emoticon! Scarica il nuovo Messenger 2009
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
