Hans,
On Sun, Dec 4, 2011 at 11:29 AM, Hans-Martin Münch
<hansmartin.mue...@googlemail.com> wrote:
> Dear Andres
>
> I finally found the solution for this issue. The problem with the characters
> was, that they are not allowed in the XML standard, therefore CDATA won't
> do it. Instead I created a version that encodes the request/response as
> base64
> if one of the forbidden characters is in place. The base64 encoding can be
> checked with the attribute "base64" (see attached file).
>
> Unfortunately I was not able to test this 100% as I don't have a suitable
> test case
> in my environment. Can you send me a link to a test app/environment where
> this problem came up?
I'm not sure , but I think that Javier Andalia fixed this issue a
while ago by adding the "escape_nulls" function to the xmlFile plugin.
That's NOT a complete solution because it's actually modifying the
data before storing it, but at least it gives a human the possibility
of reading the XML with a text / XML reader. If we would use base64
(which was an option we analyzed when fixing this) it would be
necessary for the user to use a special / third party software to read
the response.
What do you think? What's better, the replacement of the \0 by
NULL; or the base64?
Regards,
> Kind regards
>
> Martin
>
>
>
>
> 2011/7/12 Andres Riancho <andres.rian...@gmail.com>
>>
>> What about CDATA in XML?
>>
>> On Tue, Jul 12, 2011 at 12:34 PM, Hans-Martin Münch
>> <hansmartin.mue...@googlemail.com> wrote:
>> > Hmmm, it looks like firefox and others has a problem with NULL bytes
>> > (%00)
>> > used in local
>> > file inclusion attacks. :-(
>> >
>> > The question is where this should be fixed? in the dump() function of
>> > the
>> > request/response object
>> > (as this functions should return a string representation of the object)
>> > Regards
>> > HansMartin
>> > 2011/7/12 Hans-Martin Münch <hansmartin.mue...@googlemail.com>
>> >>
>> >> I will to this ASAP
>> >>
>> >> 2011/7/12 Andres Riancho <andres.rian...@gmail.com>
>> >>>
>> >>> Hans,
>> >>>
>> >>> Please see attached file. This was generated by running the
>> >>> following command:
>> >>>
>> >>> ./w3af_console -s scripts/script-xml_output.w3af
>> >>>
>> >>> You need to have a running instance of the moth vm for this
>> >>> command to work and generate what I'm sending you; but the issue is
>> >>> that the XML seems to be "broken". You can open the XML with vi , joe,
>> >>> etc. (any console editor) BUT if you try to open it with something
>> >>> that really UNDERSTANDS XML (firefox output-w3af.xml) it will tell
>> >>> you:
>> >>>
>> >>> XML Parsing Error: not well-formed
>> >>> Location: file:///home/dz0/w3af/trunk/output-w3af.xml
>> >>> Line Number 330, Column
>> >>> 66:<br>../../../../../../../../../../../../../../../etc/passwd
>> >>>
>> >>> Could you please look into that?
>> >>>
>> >>> Regards,
>> >>>
>> >>> On Tue, Jul 12, 2011 at 11:51 AM, Andres Riancho
>> >>> <andres.rian...@gmail.com> wrote:
>> >>> > Hans,
>> >>> >
>> >>> > Sorry for the late response! I just reviewed the latest patch you
>> >>> > sent, and it looks very good. The only thing that I modified in both
>> >>> > the xsd and py file was the indentation: you used tabs (and 3-space
>> >>> > in
>> >>> > some sections?) for indenting code, and we prefer 4-spaces. Congrats
>> >>> > on your first w3af contrib! :)
>> >>> >
>> >>> >
>> >>> > http://sourceforge.net/apps/trac/w3af/changeset/4351/trunk/plugins
>> >>> >
>> >>> > Regards,
>> >>> >
>> >>> > On Sun, Jul 3, 2011 at 10:10 AM, Hans-Martin Münch
>> >>> > <hansmartin.mue...@googlemail.com> wrote:
>> >>> >> Hi Andres
>> >>> >>
>> >>> >> As promised, you can find the update for the XMLReport plugin
>> >>> >> attached
>> >>> >> to
>> >>> >> this mail.
>> >>> >>
>> >>> >> I tested it as good as I can, but I have to admit that I didn't
>> >>> >> have a
>> >>> >> test
>> >>> >> scenario
>> >>> >> where I had more than one request/response.
>> >>> >>
>> >>> >> I also updated the report.xsd file to reflect the changes. Please
>> >>> >> have
>> >>> >> a
>> >>> >> look.
>> >>> >> Please let me know if you have any
>> >>> >> suggestions/corrections/comments.
>> >>> >>
>> >>> >> Kind regards and keep up your really impressive work
>> >>> >>
>> >>> >>
>> >>> >> Martin (HansMartin is the complete first name)
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Andrés Riancho
>> >>> > Director of Web Security at Rapid7 LLC
>> >>> > Founder at Bonsai Information Security
>> >>> > Project Leader at w3af
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Andrés Riancho
>> >>> Director of Web Security at Rapid7 LLC
>> >>> Founder at Bonsai Information Security
>> >>> Project Leader at w3af
>> >>
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
