Hello:
On Thu, Apr 16, 2009 at 08:34:24PM -0300, Andres Riancho wrote:
> On Thu, Apr 16, 2009 at 8:10 PM, Aaron Peterson
> <aa...@midnightresearch.com> wrote:
> > Hi Andres:
> >
> > We talked on IRC a couple weeks ago about how I might be able to help out
> > w3af,
> > and you gave me an easy bug that didn't require much knowledge of the
> > internals
> > to fix.
> >
> > http://sourceforge.net/tracker/?func=detail&aid=2675986&group_id=170274&atid=853652
[...]
> <dz0> I think that we could do a nicer match
> <dz0> and don't ignore all htmls that have the X-Forwarded-For string
> <dz0> we should follow this logic:
> <dz0> - find all private ip addresses
> <dz0> - for each private ip, check if in the same line, there is
> an X-Forwarded-For:
> <dz0> - if no X-Forwarded-For: in the same line (before the IP),
> then we found something
> <dz0> - if the ip address is preceeded by "X-Forwarded-For:", then ignore
> it
Here's another small patch that should address this a little better than the
previous one. It's actually pretty similar to the old one, it just moves the
check for the proxy headers down to only match against the line that contains
prospective private IP to eliminate the false negatives you mentioned.
Let me know if you have any comments,
Aaron
--- privateIP.py.orig 2009-04-29 17:53:48.000000000 -0400
+++ privateIP.py 2009-04-30 12:24:48.000000000 -0400
@@ -96,6 +96,12 @@
for regex in self._regex_list:
for match in regex.findall(response.getBody()):
match = match.strip()
+
+ # Some proxy servers will return errors that include headers in the body
+ # along with the client IP which we want to ignore
+ if re.search("^.*X-Forwarded-For: .*%s" % match, response.getBody(), re.M):
+ continue
+
# If i'm requesting 192.168.2.111 then I don't want to be alerted about it
if match != urlParser.getDomain(response.getURL()) and \
not self._wasSent( request, match ):
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
