Achim, On Mon, Dec 21, 2009 at 9:20 AM, Achim Hoffmann <a...@securenet.de> wrote: > Floyd, Andres, > > can someone please enlight me on the pupose of the FormFiller, > before I start posting unqualified comments. > Is it just fill forms with some kind of usefull values so that > w3af gets the next step in the application? > Or is it some kind of fuzzing the form?
During the fuzzing process, when w3af sees a form like this one: - name - address - email - id It will send the payloads in each parameter, one at the time. The thing here is that the rest of the parameters need to be filled with something meaningful. Without form filler, the requests would look like these: name=payload&address=&email=&id= name=&address=payload&email=&id= name=&address=&email=payload&id= name=&address=&email=&id=payload Which in most cases will be rejected by the application. With form filler, it looks like this: name=payload&address=nugalon&email=w...@email.com&id=3 name=urgmoqc&address=payload&email=w...@email.com&id=8 name=fknauqo&address=dncgzoj&email=payload&id=9 name=fknauqo&address=dncgzoj&email=w...@email.com&id=payload > For the first (some usefull values), I agree with both argumnts > of you. And I can can add a lot of more "semantics" about parameter > names and how their values might be checked by the application. That > will not be a simple task for w3af to fill such forms automatically. > I'd also argue, that not the language processed by the application > is important, but also the primary language the application was > intended for (examples therefore are parameter names like: adres, > address, adresse, street, ...). I got lost in this explanation :( > Achim > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
