Dear Andres,
>
> - I would rename the file to "session_fixation.py"
> - The file header says "xss.py" and it should say "session_fixation.py"
>
> - Debugging comments like "print "KAKAKAKAKAK"" should be removed :)
> - getLongDesc returns all the information about XSS
>
Sorry, I forgot to fix these things.. :(
- I'm not sure why you do this:
>
> res2string=str(response.getHeaders()) ## convert to String
> if 'Set-Cookie' in res2string: ## There is Cookie param
>
> instead of doing this:
>
> if 'Set-Cookie' in response.getHeaders():
> response.getHeaders()['Set-Cookie']
>
I fixed it
>
> - I don't understand the objective of "getJSESSION".
>
>
This purpose of this fuction is : attach attacker's SESSION ID along with
valid username, password When Victim login.
I have to append attacker's SSID with Cookie ..
("Cookie: "+self._SSIDparam+"="+self._
SSID) .. Them make Mutant with this string !!!
Please give me a better suggestion. Thank you.. :(
To sum up, I think that you have good intentions, but need to
> review the main technique used to detect session fixation before
> starting to code the plugin.
>
> Of course, I've read a lot. and I review the testing instruction of OWASP
:
http://www.owasp.org/index.php/Testing_for_Session_Fixation_(OWASP-SM-003)<http://www.owasp.org/index.php/Testing_for_Session_Fixation_%28OWASP-SM-003%29>
I'm finding the technique you say .. ^_^
--
Best Regards,
Summer Nguyen .
------------------------------------------------------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
