Floyd, >>>First of all I think that I don't really understand what more complex >>>HTML analysis we need in W3AF and needing to take attention in such >>>things (which are controlled on client side) like HTML tag attribute >>>maxlength. Floyd could you please describe a bit more it? > > I think it is important that a web application framework extracts as many > information from the webpage under test > as possible. If we know things as maxlength (and there are much more > interesting "tags"), we know what > better what the programmer was thinking when she wrote the HTML code. > > For example when a field has length 12 I would try to inject strings with > length 12, 13 and e.g. 15 and compare the responses.
But we already don't pay attention to this attribute :) Purpose of client side data validation is only for more convenient using of app (e.g. AJAX data validation without reload of page). But if we talk about security validation such HTML attributes as maxlength are useless. So response of webapp (server side) should not depend on HTML tag attribute. > Sorry I haven't read enough core code to answer that. Ups, sorry :) I forgot to address these questions to Andres. -- Taras ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
