Hi, all!
I just have committed core/data/fuzzer/fuzzer.py with Laurent's patch.
It is not original patch because I decided to remove mutant with
m2.setSafeEncodeChars('/').
Furthermore I have tested it with webpy application in which URLs
processed internally (not by Apache's mod_rewrite). Now everything look
good and we can find XSS in both :) You are free to test it from the trunk.
10.01.2012 00:05, Andres Riancho пишет:
> Taras,
>
> On Fri, Jan 6, 2012 at 6:16 PM, Taras<ox...@oxdef.info> wrote:
>> Hi, all and happy new year! :)
>>
>> Laurent thanks for paying attention to fuzzURLParts functionality! :)
>> Especially that we also had a small conversation here about double encoding.
>>
>>
>>>> Sorry for that, I attached the proper cleaned patch. In fact :
>>>>
>>>> * m is single encoded version, so we need it
>>>> * m3 is double-encoded version, so we need it
>>>> * m2 : I re-use this code from _createFileNameMutants() method, this is
>>>> perhaps
>>>> not really useful in this case?
>>>
>>>
>>> Taras, since you've written that piece of code, would you mind
>>> reviewing / testing / commiting the change to SVN?
>>
>>
>> Andres, I will do it in the nearest days.
>
> Sounds good! Laurent will test the fix when you commit it :)
>
>>
>> --
>> Taras
>> http://oxdef.info
>> ----
>> "Software is like sex: it's better when it's free." - Linus Torvalds
>
>
>
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
