Achim,
On Mon, Nov 16, 2009 at 12:37 PM, Achim Hoffmann <a...@securenet.de> wrote:
>
>
>
> Viele Gruesse
> Achim
>
> On Sun, 15 Nov 2009, Andres Riancho wrote:
>
> !! > So, identifying length limits, hidden values and constants (i.e. select
> options)
> !! > is a good idea and can be feed to a fuzzer plugin to make more
> sophisticated
> !! > tests.
> ...
> !! > Does this make sense?
> !!
> !! Yes, a lot of sense to me in the case of the fuzzing, but not that
> !! much sense on the side of "finding a vulnerability" trying to send a
> !! request with maxlength-1 , maxlength, maxlength+1. Why not sending
> !! directly maxlength+whatever and see what happens?
>
> Following assumtion:
> If the application sets a maxlength in the form, it could be assumed
> that it does some (input)data validation according this length also.
>
> If we fuzz with values -lets say +-5 or +-10 - arround the maxlength value,
> the chance is much greater to find a off-by-one weakness, a buffer overflow
> or a format string weakness rather then bothering the application with huge
> payloads.
> Also keep in mind that a huge payload may be filtered off before passed
> to the final application.
>
> I believe that testing/fuzzing with some kind of intelligence should
> generate better results.
Yes, I agree with you on the off-by-one, buff overflow and format
string vulnerabilities. On the other side I don't think that because
of a "maxlength=5", I would restrict the framework from sending
something like "<script>alert(1)</script>" to that parameter.
To sum up:
- I'll add maxlength param to forms
- I'll use it in the format string and buffer overflow plugins
Thank you so much for your comments. I learn something in every thread
you talk =)
Cheers,
> Achim
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
