Achim,
On Wed, Nov 11, 2009 at 2:14 PM, Achim Hoffmann <a...@securenet.de> wrote:
> Taras wrote on 11.11.2009 13:06:
>
>> Example with maxlenght is not good.
>> Such validation usually is made on JavaScript.
>> What should do in such situation?
>> My point of view is we do not need to pay so much attention to client side
>> *security* validation because it is not so trivial but at same time is not
>> main factor in validation schema.
>
> look the other way around:
> if w3af gives hints about *expected" values for a parameter, you (or even
> w3af) can easyly find the unexpected ones
> This has nothing to do with client-side security. We all know that each check
> on client-side must be done on server-side also.
>
> So, identifying length limits, hidden values and constants (i.e. select
> options)
> is a good idea and can be feed to a fuzzer plugin to make more sophisticated
> tests.
> A good example how to present such results is ntoinsight crawler.
On one side... I totally agree with Taras, that maxlength is mostly
useless for finding vulnerabilities. The framework will send the
payloads and check the response, no matter if the maxlength is 1 or
1000.
Now... after reading Achim's response I have a good example of WHY we
need to respect the maxlength in some situations. Lets imagine this
form:
<form action=handle_form.py>
<input type='text' name='id' maxlength='3'>
<input type='text' name='name'>
<form>
And this pseudocode in handle_form.py:
"""
if len(str(id)) != 3:
return 'Invalid ID!'
else:
return 'Welcome ' + name
"""
Right now, w3af's fuzzer will fail to find that XSS vulnerability,
why? Because we don't parse the maxlength parameter of the input tag.
At this moment, w3af will fill the parameter with name "id" with a
random number of (if I remember well) 5 characters, which would be
incorrect. The requests that would be send in this case to the remote
web application would look like this:
- handle_form.py?id=<script>alert(1)</script>&name=jubfLaSsLb
- handle_form.py?id=67408&name=<script>alert(1)</script>
Both of them would return "Invalid ID!". If we handle the maxlength
parameter, we should end up with something like this:
- handle_form.py?id=<script>alert(1)</script>&name=jubfLaSsLb
- handle_form.py?id=648&name=<script>alert(1)</script>
And a nice XSS vulnerability being identified in the second request :)
> Does this make sense?
Yes, a lot of sense to me in the case of the fuzzing, but not that
much sense on the side of "finding a vulnerability" trying to send a
request with maxlength-1 , maxlength, maxlength+1. Why not sending
directly maxlength+whatever and see what happens?
Cheers,
> Achim
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
