Andres,
Le jeu 05/01/12 13:37, "Andres Riancho" andres.rian...@gmail.com a écrit:
> Laurent,
>
> On Wed, Jan 4, 2012 at 12:45 PM, <l
> aurent.gu...@algosecure.fr> wrote:
> Andres,
> >
> > Le mer 04/01/12 14:47, "Andres Riancho" andr
> es.rian...@gmail.com a écrit:
>> Laurent,
> >>
[snip]
> >> > By the way, I envisage to make a patch for
> putting
>> XSS injection patterns into an
> >> external config file rather than hardcode them
> in
>> xss.py, this would make
> >> patterns managing easier.
> >>
> >> Not really, I like the idea of keeping the
> payloads in the same
>> file, so you have "all you need to know" in the
> same place. Also,
>> having the files in a python script allows us to
> easily add "tags" to
>> it such as "send only of I'm inside script
> tags".
>
> >
> > Ok.
> > Al least, perhaps using a more pythonic notation
> could help better understanding
> the code, replacing :
> >
> >
> > xss_tests = []
> >
> xss_tests.append(('<DEFANGED_SCrIPT>alert("RANDOMIZE")</SCrIPT>
> ', [browsers.ALL, ]))
>
> xss_tests.append(("<DEFANGED_ScRIPT>a=/RANDOMIZE/\nalert(a.source)<
> ;/SCRiPT>",
> [browsers.ALL, ]))
> >
> xss_tests.append(("<DEFANGED_ScRIpT>alert(String.fromCharCode(RANDOMI
> ZE))</SCriPT>",
> [browsers.ALL, ]))
> > ...
> >
> > By :
> >
> > xss_tests = [
> >
> ('<DEFANGED_SCrIPT>alert("RANDOMIZE")</SCrIPT>',
> [browsers.ALL, ] ),
>
> ("<DEFANGED_ScRIPT>a=/RANDOMIZE/\nalert(a.source)</SCRiPT>",
> [browsers.ALL, ] ),
>
> ("<DEFANGED_ScRIpT>alert(String.fromCharCode(RANDOMIZE))</SCriPT
> >", [browsers.ALL, ] ),
> ...
> > ]
> >
> > and make this "xss_tests" variable a class attribute
> ?
> Done in revision 4622, I usually don't care much about "pythonic" or
> "not pythonic", but your change made that piece of code easier to read
> and I do care about that :)
>
> http://sourceforge.net/apps/trac/w3af/changeset/4622
Thank you ;)
And what about transform this "xss_tests" variable to a "xss" class attribute ?
because it is somewhat a constant, and then the _xss_tests_length attribute
could
be computed without calling the _get_xss_tests() method.
(imho, generally "pythonic" code is easier to read than traditionnal C-like
code ;)
> >
> >> If you want to write
> >> a very useful patch, I would recommend you write
> the previously
>> defined idea.
> >
> >
> > I'll try to think about the problem on my spare
> time, good challenge ;)
> Yep, it's not an easy one... but it should be possible (even with
> broken HTMLs), Maybe something that sends a unique string, searches it
> in the HTML, and then starts iterating forward and if it finds "<"
> you
know you're inside a text (see reference below), if you find a " or a
> ' and then find a ">" before finding any "<" or other special
> character then you're in an attribute? This might sound simple, but
> maybe with a little bit of testing and thinking it could work.
>
>
> <tag>text</tag>
> <tag attribute="value"></tag>
Yes I've thought about a similar mechanism : send a king of fingerprint string,
and backward search it's position in the page (html tag, javascript bloc,
comment...) ;)
> >> > Such mechanic could also be used in the
> other parts
>> of the application, what is
> >> your opinion ?
> >> >
> >> > And I'd like to add a special keyword
> ("ALL", or -1
>> if integer matters) for XSS
> >> audit plugin option
> "_number_of_stored_xss_checks",
>> for selecting automatically
> >> all patterns (because if you add a new pattern
> you
>> must edit all your scripts to
> >> increment the value fo this
> parameter).
>>
> >> Oh, that's correct, please fix if you've got
> time :)
>
> >
> > Okay I'll work on it, not a too difficult task
> ;)
I just saw that the _number_of_stored_xss_checks is only used to limit the
number
of 'stored XSS checks', but is not used to limit the 'reflected XSS' checks, is
this intentional ?
> >
> >>
> >> --
> >> Andrés Riancho
> >> Director of Web Security at Rapid7
> LLC
>> Founder at Bonsai Information
> Security
>> Project Leader at w3af
> >>
> >>
> >
> >
> > Laurent
> >
> >
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
Laurent
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
