Hi,
I recently noticed (though they are a couple of months old - so maybe
this has already been added to w3af?) these vulnerabilities which
potentially is quite common on PHP :
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
Basically, PHP which relies on a filter (such as addslashes,
htmlentities, escapeshellarg, etc.) will NOT be able to detect&escape
byte sequences on its non-shortest form, and so an application that
relies on them for security checks wont be protected at all. Therefore,
xss can be achieved in a number of extra ways, for example by
< = %3c = %c0%bc = %e0%80%bc = %f0%80%80%bc
It would be easy for w3af to detect this. Perhaps not directly in the
xss-module, but an injection-module which tries combinations and
characters that can be output on the page and runs before the
xss-module. Such a module could also check if a character is
double-decoded onto the page and basically produce a map of wanted
output-> input. So that M("<") = "%F0%80%80%bc or M("<")="%253C".
Having this in a separate module, or at least separate in the knowledge
base could be good, since it is often possible to perform xss even if
the xss-module does not find any fitting vector (in my experience,
manual fixing is often needed). Apologies if this is already
implemented, it was a few months since I checked the source-code.
Regards,
Martin Holst Swende
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
