Dimitri,
On Tue, May 19, 2009 at 1:50 PM, Dimitri Paranoid
<dimi...@googlemail.com> wrote:
> Hi guys,
> I played with the w3af for the first time today. I'm specifically
> interested in the XSS scanning (crawling + fuzzing).
> It seems w3af does not catch the case when the site echoes the
> double-encoded Javascript.
> I added the following tests in xss.py, function _get_xss_tests :
> # D.S - url escaped injection string
>
> xss_tests.append(('%3CSCrIPT%3Ealert%28%22RANDOMIZE%22%29%3C/SCrIPT%3E',
> [browsers.ALL, ]))
>
> # D.S - double quoted injection string
>
> xss_tests.append(('%2522%253E%253Cscript%253Ealert%2528/RANDOMIZE/%2529%253C/script%253E',
> [browsers.ALL, ]))
> then it does pick it up.
> Here's the PHP file that I used to test it:
> <?php
> $param = $_GET['param'];
> echo "Initial param: $param<BR>\n";
> $param_esc = urldecode($param);
> echo "Param decoded: $param_esc <BR>\n";
> // compose the URL to the current page
> $url = $_SERVER{'HTTPS'} ? 'https://' : 'http://';
> $url .= $_SERVER{'SERVER_NAME'};
> if ($_SERVER{'SERVER_PORT'}) {
> $url .= ":" . $_SERVER{'SERVER_PORT'};
> }
> $url .= $_SERVER{'PHP_SELF'};
> if ($_SERVER{'QUERY_STRING'}) {
> $url .= '?' . $_SERVER{'QUERY_STRING'};
> } else {
> $url .= '?' . 'param=a';
> }
> echo '<A href="' . $url . "\">$url</A>";
> ?>
> and here's the related w3af output with the added tests:
> Starting xss plugin execution.
> Cross Site Scripting was found at: "[URL]", using HTTP method GET. The sent
> data was:
> "param=%252522%25253E%25253Cscript%25253Ealert%252528/9v5SFsQ4yG8Wd/%252529%25253C/script%25253E".
> This vulnerability affects ALL browsers. This vulnerability was found in the
> request with id 45.
This issue is much easier to solve than you think, and it's a more
general issue in w3af. The w3af framework uses the payloads that are
embebed in the plugin to find vulnerabilities. The plugins generate
something called mutants based on those payloads; mutants are requests
that in a particular parameter have a payload. The mutants are created
using a function called "createMutants".
The way to solve this issue, and issues with double encoding and other
things like that, is to modify the "createMutants" function to create
more mutants. Example of how this works now:
- Input:
- payload: <>
- HTTP request with query string: id=1
- Output:
- Mutant request with query string: id=%3C%3E
And this is how this should work in the future:
- Input:
- payload: <>
- HTTP request with query string: id=1
- Output:
- Mutant request with query string: id=<> (no encoding)
- Mutant request with query string: id=%3C%3E (simple encoding)
- Mutant request with query string: id=%253C%253E (double encoding)
- and maybe other mutants with different types of encoding for the
information being sent.
This should be easy to implement, and I've been thinking about doing
it for some time, the only problem is that I never find the time to do
it.
The good thing with this, is that in the plugins you only have the
REAL version of the payload, without any encodings applied, and you
won't need to add one extra line to the payload database as you did.
The bad is that before we were sending 1 request, and now we are
sending 3 (no encoding, simple enc, double enc). This WILL slow down
the scanning progress a lot (3 times) and will bother a lot of users.
I think that the default config for doing this should be something
like "no enc and simple enc", and plugins should be able to override
this if they want, by passing some specific parameter to
"createMutants"
What do you guys think? Would this work?
> One request - would it be possible to add an option in the audit config xss:
> set numberOfChecks all
> so that when you are modifying the source you would not have to worry about
> the number of tests you run.
Ahh, this is the perfect task for a new contributor, and you seem to
be the newest guy around the w3af-develop mailing list... so.... ;)
> It would be also interesting to give each test
> a short but descriptive name (like "double.enc") and allow the user to
> specify exactly which tests they want to run.
This one is a little harder, but I think it's possible to do it with
some code modifications. I'll add this as a feature request, and then
we'll find someone to do it.
> Cheers, may the brute force be with you! :)
=)
> Dimitri
>
>
>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
