Hi, Dimitri! Thanks for interesting in W3AF! How often in real there is such situation (when some input param is echoed back to the browser after url decoding)?
> Hi guys,
> I played with the w3af for the first time today. I'm specifically
> interested in the XSS scanning (crawling + fuzzing).
>
> It seems w3af does not catch the case when the site echoes the
> double-encoded Javascript.
> I added the following tests in xss.py, function _get_xss_tests :
>
> # D.S - url escaped injection string
>
> xss_tests.append(('%3CSCrIPT%3Ealert%28%22RANDOMIZE%22%29%3C/SCrIPT%3E',
> [browsers.ALL, ]))
>
> # D.S - double quoted injection string
>
>
> xss_tests.append(('%2522%253E%253Cscript%253Ealert%2528/RANDOMIZE/%2529%253C/script%253E',
> [browsers.ALL, ]))
>
> then it does pick it up.
>
> Here's the PHP file that I used to test it:
>
> <?php
> $param = $_GET['param'];
> echo "Initial param: $param<BR>\n";
> $param_esc = urldecode($param);
> echo "Param decoded: $param_esc <BR>\n";
> // compose the URL to the current page
> $url = $_SERVER{'HTTPS'} ? 'https://' : 'http://';
> $url .= $_SERVER{'SERVER_NAME'};
> if ($_SERVER{'SERVER_PORT'}) {
> $url .= ":" . $_SERVER{'SERVER_PORT'};
> }
> $url .= $_SERVER{'PHP_SELF'};
> if ($_SERVER{'QUERY_STRING'}) {
> $url .= '?' . $_SERVER{'QUERY_STRING'};
> } else {
> $url .= '?' . 'param=a';
> }
> echo '<A href="' . $url . "\">$url</A>";
> ?>
>
> and here's the related w3af output with the added tests:
>
> Starting xss plugin execution.
> Cross Site Scripting was found at: "[URL]", using HTTP method GET. The sent
> data was:
> "param=%252522%25253E%25253Cscript%25253Ealert%252528/9v5SFsQ4yG8Wd/%252529%25253C/script%25253E".
> This vulnerability affects ALL browsers. This vulnerability was found in the
> request with id 45.
>
> One request - would it be possible to add an option in the audit config xss:
> set numberOfChecks all
> so that when you are modifying the source you would not have to worry about
> the number of tests you run. It would be also interesting to give each test
> a short but descriptive name (like "double.enc") and allow the user to
> specify exactly which tests they want to run.
>
> Cheers, may the brute force be with you! :)
>
> Dimitri
>
--
Тарас Иващенко (Taras Ivashchenko), OSCP
www.securityaudit.ru
----
"Software is like sex: it's better when it's free." - Linus Torvalds
pgpCbftJ0zoRp.pgp
Description: PGP signature
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
