Taras, The idea is to focus your tests on the information gathered through the client-side material. For example, if you obtain an input field, without any other information, you can try multiple input lenghts on it (the number of tries is arbitrary and could be endless). However, if you collect client information about its size, you can focus on the limits around that constraint, plus a few big ones (eg. 512, 1024, etc).
I agree with you that there are two places where the info is located: the form elements, and JavaScript. The end goal should be to gather both and design the tests based on that info. Up to now we can only start with the forms, till Andres finds time to provide the JavaScript parser he mentioned a couple of mails ago ;) ;) ;) Seriuosly, I see a benefit of gathering client-side info to drive some of the server side tests. It is just an improvement to focus the server side tests, specially when you want to limit the time the test will require and want to reduce the number of combinations for input fields. Of course, another issue is to evaluate the benefit versus the effort required to implement it. Cheers, -- Raul Siles www.raulsiles.com On Wed, Nov 11, 2009 at 1:06 PM, Taras <ta...@securityaudit.ru> wrote: > Raul, > >> Hi Taras, >> I'm not sure if Floyd purpose was this, but it is useful to play >> around the client side contraints, as they can provide a very good >> insight of what the developers implemented on the server side too. > > Could you please describe it more because "to play around the client side > contraints" > is very general? > >> Both contraints, client and server, should be the same, but sometimes >> they are out of sync and entry points (vulnerabilities) can be easily >> identified playing around those limits (eg. 29,30,31 for a maxlenght >> of 30). > > Example with maxlenght is not good. > Such validation usually is made on JavaScript. > What should do in such situation? > My point of view is we do not need to pay so much attention to client side > *security* validation because it is not so trivial but at same time is not > main factor in validation schema. > > > > -- > Taras > > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
