Hi Andres & List,
I've been trying to use w3af together with a web application using the Apache
wicket framework (see [1]). I've
stumbled across two issues while scanning and fuzzying the application. First
some examples...
A simple form written with the wicket framework looks like this:
GET http://localhost:8080/wicket-examples/echo/
...
<form id="id1" method="post"
action=";jsessionid=3FBF43507EFC333BB9476C1ACF786A89?wicket:interface=:0:form::IFormSubmitListener::">
<div style="display:none"><input type="hidden" name="id1_hf_0" id="id1_hf_0"
/></div>
<input type="text" value="[type your message to the world here]" size="50"
name="msgInput"/>
<input type="submit" value="set message" />
</form>
...
The correct joined POST action URL would look like the following:
"/wicket-examples/echo/?wicket:interface=:0:form::IFormSubmitListener::"
Unfortunately w3af does not join the domain and the relative part correctly.
w3af omits the last '/' before the
question mark. I think I've managed to fix this issue with the following piece
of code. I can commit this code to the svn if
you agree.
Index: urlParser.py
===================================================================
--- urlParser.py (revision 3176)
+++ urlParser.py (working copy)
@@ -233,6 +233,10 @@
scheme, domain, path, params, qs, fragment = _uparse.urlparse( baseurl
)
# TODO add params?!
response = scheme + '://' + domain + path + relative
+ elif relative.find('wicket:')> 0:
+ # Special case for the Apache Wicket framework
+ scheme, domain, path, params, qs, fragment = _uparse.urlparse( baseurl
)
+ response = scheme + '://' + domain + path + relative
else:
response = _uparse.urljoin( baseurl, relative )
The other issue I've found is harder to fix. As you can see the form contains a
hidden field "id1_hf_0" which is empty.
w3af tries to fuzz this parameter which is usually okay but the wicket
framework throws an internal server error if this
hidden field contains any kind of data. That means that no wicket formular is
properly accepted by the server.
My idea was to add an option to w3af which allows a user to specify a list of
parameters which will be ignored by the plugins.
Does this feature already exist? Or is someone else already implementing this?
If not I might find some time to implement this.
Cheers,
Kevin
[1] http://wicket.apache.org/
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010Index: urlParser.py
===================================================================
--- urlParser.py (revision 3176)
+++ urlParser.py (working copy)
@@ -233,6 +233,10 @@
scheme, domain, path, params, qs, fragment = _uparse.urlparse( baseurl )
# TODO add params?!
response = scheme + '://' + domain + path + relative
+ elif relative.find('wicket:') > 0:
+ # Special case for the Apache Wicket framework
+ scheme, domain, path, params, qs, fragment = _uparse.urlparse( baseurl )
+ response = scheme + '://' + domain + path + relative
else:
response = _uparse.urljoin( baseurl, relative )
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
