Glad to hear that, pootzko.
1. First learn existing modules and how they write.
2. Tweak it to your wish, Play with it so that you can better understand
about how they work
3. After getting familiar with it, create a very simple module, test it,
play with it
Ok, for quick assignment, I wish you to write a simple module that does the
HTTP Parameter Polution ( It seems that it was not written/committed to svn
before - Check about this :
http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00911.html,
Andres
Riancho thought it is not usable for most cases). Whether it's worth or not,
try it.
The Pseucode is as follows:
Take a URL with parameters (eg. http://site.com/test.php?a=1&b=2&c=3)
For each parameter
1. Take note of original request response (
http://site.com/test.php?a=1&b=2&c=3)
2. Take note of request responses for these HPP urls:
http://site.com/test.php?a=1&b=2&a=yyyy&c=3
http://site.com/test.php?a=1&b=2&c=3&a=zzz
3. Detect using the following criteria:
a) Compare the length of these responses
Differences in length may indicate HPP vulnerable.
b) Are these Polluted parameters concatenated together in
Response Body?
[ Risk: Possible bypass of web application firewalls]
[ like:
a=id+UNION+SELECT&b=2&a=%201,2,3,@@version--&c=3 ]
End For
On Fri, Sep 3, 2010 at 4:48 AM, Taras <ox...@oxdef.info> wrote:
> -------- Forwarded Message --------
> From: pootzko <poot...@gmail.com>
> Reply-to: poot...@gmail.com
> To: Taras <ox...@oxdef.info>
> Subject: Re: [W3af-develop] Searching for new contributors?
> Date: Sun, 25 Jul 2010 14:37:50 +0200
>
> Hi everyone!
>
> I just wanted to write an email here on the list about wanting to
> contribute to w3af =)
> Started playing with it 2 weeks ago, and also started learning python
> not so long ago so I was thinking to ask you guys to give me some simple
> task for start (saw your "Why are you doing this: "I want to learn
> Python"" in w3af FAQ hehe). Later I could move on to some more complex
> stuff as I find my way around python and w3af more.
>
> Currently I'm a computer science student (from this autumn I'll be at my
> fifth, final year) and I come mostly from c/c++ and php background. I've
> of course used some other languages during my studies and playing around
> but not so extensively. I'm just saying this to say that I don't
> consider myself some kind of a developer (yet) but I'm eager to learn.
> One other reason I decided to ask to contribute to this project is
> because I would like to profile myself in computer security... So I
> consider this a good starting point. =)
>
> What do you propose?
>
> thanks =)
>
> On Sat, Jul 24, 2010 at 4:43 PM, Taras <ox...@oxdef.info> wrote:
> Hi, all!
>
>
> What do you think about searching for new contributors for w3af?
> It looks like we need more people :)
>
> What I suggest:
> - write letters to popular mail lists
> - write messages to popular forums and boards
>
>
> --
> Taras
> http://oxdef.info
> ----
> "Software is like sex: it's better when it's free." - Linus
> Torvalds
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
>
> --
> Kit Tihomir
> http://www.cmikavac.net/
>
> --
> Taras
> http://oxdef.info
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
