Andres, > > Do you remeber why we remove Content-Length from headers in > > createFuzzableRequestRaw for > > POST requests: > > core/data/request/frFactory.py > > ... > > def createFuzzableRequestRaw(method, url, postData, headers): > > if not postData: > > qsr = httpQsRequest.httpQsRequest() > > qsr.setURL(url) > > qsr.setMethod(method) > > qsr.setHeaders(headers) > > dc = urlParser.getQueryString(url) > > qsr.setDc(dc) > > return qsr > > pdr = httpPostDataRequest.httpPostDataRequest() > > pdr.setURL(url) > > pdr.setMethod(method) > > for header_name in headers.keys(): > > if header_name.lower() == 'content-length': > > del headers[header_name] > > ^^^ > > pdr.setHeaders(headers) > > ... > > > > It is really bad because some web servers ignore POST requests without this > > header. > > I'm not reading the code right now, but I'm guessing that we're > doing this because we're not trusting the content-length header value > provided by the user. I don't think that our requests are getting to > the server without a content-length, what might be happening is that > we're changing the header value to reflect what the user really put in > the post data.
Hm, my tests on *fresh* trunk version shows that the bug there is :( Steps to reproduce: 1. Create simple page with form (method=POST) 2. Run w3af on it with xss plugin enabled Current result: in output-http.txt we see ------------------------------------- ... POST http://localhost/test.php HTTP/1.1 Accept-encoding: identity Accept: */* User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; w3af.sf.net) Host: localhost Content-type: application/x-www-form-urlencoded somefield=ryras ========================================Response 15 - Thu Nov 25 11:54:46 2010======================================= HTTP/1.1 200 OK^M Content-Length: 552^M X-Powered-By: PHP/5.3.3-1ubuntu9.1^M Vary: Accept-Encoding^M ... ------------------------------------- If we grep sources we can find additing this header constructions in these files: data/url/xUrllib.py: if h.lower() == 'content-length': data/url/xUrllib.py: headers[ 'content-length' ] = str(len(postdata)) data/url/xUrllib.py: if i.lower() == 'content-length': data/url/xUrllib.py: msg = 'The response didn\'t contain a content-length header. Unable to return the' data/url/handlers/logHandler.py: if 'Content-length' in req.headers: data/url/handlers/logHandler.py: req.headers.pop('Content-length') data/url/handlers/keepalive.py: if not req.has_header('Content-length'): data/url/handlers/keepalive.py: conn.putheader('Content-length', '%d' % len(data)) -- Taras http://oxdef.info ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
