hey guys,
sorry for not replying sooner, gmail put this into spam... and I check it
every 1-2 weeks to make sure nothing important went into spam. I would be
happy to try and make this module, but right now I'm in the middle of
college exams so until I finish them off I don't want to even start doing
anything because it will become so interesting to do that I'll eventualy
stop studying for exams :D
so if nobody does this int 3-4 weeks max, I'll do it then. if it's done by
then, I'll just have to find some other taks =)
thank you, and talk to you soon
On Fri, Sep 3, 2010 at 8:59 AM, Aung Khant <aungkh...@yehg.net> wrote:
> Glad to hear that, pootzko.
>
>
> 1. First learn existing modules and how they write.
> 2. Tweak it to your wish, Play with it so that you can better understand
> about how they work
> 3. After getting familiar with it, create a very simple module, test it,
> play with it
>
> Ok, for quick assignment, I wish you to write a simple module that does the
> HTTP Parameter Polution ( It seems that it was not written/committed to svn
> before - Check about this :
> http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00911.html,
> Andres
> Riancho thought it is not usable for most cases). Whether it's worth or not,
> try it.
>
>
> The Pseucode is as follows:
>
>
> Take a URL with parameters (eg. http://site.com/test.php?a=1&b=2&c=3)
>
> For each parameter
>
> 1. Take note of original request response (
> http://site.com/test.php?a=1&b=2&c=3)
>
> 2. Take note of request responses for these HPP urls:
> http://site.com/test.php?a=1&b=2&a=yyyy&c=3
> http://site.com/test.php?a=1&b=2&c=3&a=zzz
>
> 3. Detect using the following criteria:
>
> a) Compare the length of these responses
> Differences in length may indicate HPP vulnerable.
>
> b) Are these Polluted parameters concatenated together in
> Response Body?
> [ Risk: Possible bypass of web application firewalls]
> [ like:
> a=id+UNION+SELECT&b=2&a=%201,2,3,@@version--&c=3 ]
>
>
>
>
> End For
>
>
>
>
>
>
> On Fri, Sep 3, 2010 at 4:48 AM, Taras <ox...@oxdef.info> wrote:
>
>> -------- Forwarded Message --------
>> From: pootzko <poot...@gmail.com>
>> Reply-to: poot...@gmail.com
>> To: Taras <ox...@oxdef.info>
>> Subject: Re: [W3af-develop] Searching for new contributors?
>> Date: Sun, 25 Jul 2010 14:37:50 +0200
>>
>> Hi everyone!
>>
>> I just wanted to write an email here on the list about wanting to
>> contribute to w3af =)
>> Started playing with it 2 weeks ago, and also started learning python
>> not so long ago so I was thinking to ask you guys to give me some simple
>> task for start (saw your "Why are you doing this: "I want to learn
>> Python"" in w3af FAQ hehe). Later I could move on to some more complex
>> stuff as I find my way around python and w3af more.
>>
>> Currently I'm a computer science student (from this autumn I'll be at my
>> fifth, final year) and I come mostly from c/c++ and php background. I've
>> of course used some other languages during my studies and playing around
>> but not so extensively. I'm just saying this to say that I don't
>> consider myself some kind of a developer (yet) but I'm eager to learn.
>> One other reason I decided to ask to contribute to this project is
>> because I would like to profile myself in computer security... So I
>> consider this a good starting point. =)
>>
>> What do you propose?
>>
>> thanks =)
>>
>> On Sat, Jul 24, 2010 at 4:43 PM, Taras <ox...@oxdef.info> wrote:
>> Hi, all!
>>
>>
>> What do you think about searching for new contributors for w3af?
>> It looks like we need more people :)
>>
>> What I suggest:
>> - write letters to popular mail lists
>> - write messages to popular forums and boards
>>
>>
>> --
>> Taras
>> http://oxdef.info
>> ----
>> "Software is like sex: it's better when it's free." - Linus
>> Torvalds
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Sprint
>> What will you do first with EVO, the first 4G phone?
>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>> --
>> Kit Tihomir
>> http://www.cmikavac.net/
>>
>> --
>> Taras
>> http://oxdef.info
>> ----
>> "Software is like sex: it's better when it's free." - Linus Torvalds
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net Dev2Dev email is sponsored by:
>>
>> Show off your parallel programming skills.
>> Enter the Intel(R) Threading Challenge 2010.
>> http://p.sf.net/sfu/intel-thread-sfd
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
--
Kit Tihomir
http://www.cmikavac.net/
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
