Martin, On Mon, Nov 23, 2009 at 6:39 PM, Martin Tartarelli <martin.tartare...@gmail.com> wrote: > Andres, > > 2009/11/23 Andres Riancho <andres.rian...@gmail.com>: >> Guys, >> >> Anybody has time to code a new audit plugin, that will find >> session fixation vulnerabilities? > > I have 2 Saturdays....will this be enough? =)
I think so, >> >> Basically the plugin needs to: >> >> - Read if there is a current cookie parameter names (PHPSESSID=... ; >> FOOBAR=...) >> >> - Append the cookie parameter to the URL: >> * /the/url/?id=1&PHPSESSID=w3af-session-fixation >> * /the/url/?id=1&FOOBAR=w3af-session-fixation >> >> - Analyze the response of each request, and see if there is a >> set-cookie header in the response with the w3af-session-fixation >> string. >> >> I could do it, but I would rather delegate this task, as it is >> simple, and someone that is starting to develop in w3af can learn a >> lot by giving it a try. >> > > If possible... I will try to develop this plugin Sure! Start whenever you want, and let me know if you need help. Cheers, >> Thanks! >> >> Cheers, >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > -- > Martin Tartarelli > Linux User #476492 > http://owasp.org/index.php/Argentina > -- > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
