[W3af-develop] TypeError within mutant.py called by xss.py audit plugin

Fri, 28 Aug 2009 00:45:46 -0700 

Hi Andres and Co,

Been playing with w3af today and had the following error during the
xss audit plugin:

----------------------
Traceback (most recent call last):
  File "/home/christian/w3af/w3af/core/ui/gtkUi/main.py", line 588, in
startScanWrap
    self.w3af.start()
  File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
411, in start
    self._realStart()
  File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
520, in _realStart
    self._audit()
  File "/home/christian/w3af/w3af/core/controllers/w3afCore.py", line
854, in _audit
    plugin.end()
  File "/home/christian/w3af/w3af/plugins/audit/xss.py", line 413, in end
    msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue()
  File "/home/christian/w3af/w3af/core/data/fuzzer/mutant.py", line
85, in printModValue
    return 'The sent '+ self.getMutantType() +' is: "' + self.getData() + '" .'
TypeError: cannot concatenate 'str' and 'form' objects
-----------------------------

The version details of w3af I'm using are:

-----------------------------
Starting w3af, running on:
  Python version:
    2.5.2 (r252:60911, Oct  5 2008, 19:24:49)
    [GCC 4.3.2]
  GTK version: 2.14.4
  PyGTK version: 2.13.0

w3af - Web Application Attack and Audit Framework
  Version: 1.1 (from SVN server)
  Revision: 3021
  Author: Andres Riancho and the w3af team.
------------------------------

I made a slight change in the w3af/plugins/audit/xss.py as commented
below (from line 411):

------------------------------
msg = 'Permanent Cross Site Scripting was found at: ' + response.getURL()
msg += ' . Using method: ' + v.getMethod() + '. The XSS was sent to the'
#CF 28/08/09 - original line below - new line below that
#msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue()
msg += ' URL: ' + mutant.getURL()
------------------------------

This seemed to resolve the problem but I don't think the above is
anything more than a bad hack.

Unsure if the actual fault lied within w3af/core/data/fuzzer/mutant.py
getData() function.

Awesome work Andres!

Regards,

Christian

-- 
Christian Frichot
e: xnt...@gmail.com
w: http://un-excogitate.org

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to