Hmmm, it looks you are righ in this case :) I used wereshark for this purpose and content-length is there..
POST /test.php HTTP/1.1 Content-length: 73 Accept-encoding: identity Accept: */* User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; w3af.sf.net) Host: localhost Content-type: application/x-www-form-urlencoded somefield=%3CScRIPT%3Ea%3D%2FQdek%2F%0Aalert%28a.source%29%3C%2FSCRiPT%3E > Taras, > > And what do you see on the wire? You might try to setup burp suite as a > transparent proxy listening on localhost:8888 and forwarding to your real > target; and then set w3af to localhost:8888. > > Regards, > -- > Andres Riancho > > El nov 25, 2010 6:06 a.m., "Taras" <ox...@oxdef.info> escribió: > > Andres, > > > > Do you remeber why we remove Content-Length from headers in > createFuzzableRequestRaw f... > Hm, my tests on *fresh* trunk version shows that the bug there is :( > Steps to reproduce: > 1. Create simple page with form (method=POST) > 2. Run w3af on it with xss plugin enabled > > Current result: > in output-http.txt we see > > ------------------------------------- > ... > POST http://localhost/test.php HTTP/1.1 > Accept-encoding: identity > Accept: */* > User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; > w3af.sf.net) > Host: localhost > Content-type: application/x-www-form-urlencoded > > somefield=ryras > ========================================Response 15 - Thu Nov 25 11:54:46 > 2010======================================= > HTTP/1.1 200 OK^M > Content-Length: 552^M > X-Powered-By: PHP/5.3.3-1ubuntu9.1^M > Vary: Accept-Encoding^M > ... > ------------------------------------- > > If we grep sources we can find additing this header constructions in these > files: > data/url/xUrllib.py: if h.lower() == 'content-length': > data/url/xUrllib.py: headers[ 'content-length' ] = > str(len(postdata)) > data/url/xUrllib.py: if i.lower() == 'content-length': > data/url/xUrllib.py: msg = 'The response didn\'t contain a > content-length header. Unable to return the' > data/url/handlers/logHandler.py: if 'Content-length' in > req.headers: > data/url/handlers/logHandler.py: > req.headers.pop('Content-length') > data/url/handlers/keepalive.py: if not > req.has_header('Content-length'): > data/url/handlers/keepalive.py: > conn.putheader('Content-length', '%d' % len(data)) > > -- > Taras > http://oxdef.info -- Taras http://oxdef.info ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
