I have analyzed some closed source vulnerability scanners, and audited open
source scanners like skipfish.
Some of them are ironically vulnerable. Somebody may create an apache2 module
that recognizes attacks in order to force penetration testers' software to
crash (or worse, e.g. to execute arbitrary code).
errors=ignore or errors=replace may be a nice way to go, but - here are my two
cents:
Treating HTTP Responses as an UnidentifiedChunkOfPossiblyMaliciousData" as long
as possible is definitely the right way to go.
I haven't audited or reviewed the httplib, but the "from_httplib_resp" method,
looks extremely vulnerable:
resp = httplibresp
code, msg, hdrs, body = (resp.code, resp.msg, resp.info(), resp.read())
if original_url:
url_inst = url_object(resp.geturl(), original_url.encoding)
else:
url_inst = original_url = url_object(resp.geturl())
charset = getattr(httplibresp, 'encoding', None)
return httpResponse(code, body, hdrs, url_inst,
original_url, msg, charset=charset)
I am just skeptical about assuming that the response of a webserver is valid
HTTP.
That's why i mentioned py3k - it's exactly how Python3 handles external data:
Everything is a ChunkOfUnidentified data until it gets converted to a string.
If it's a string, it's Unicode and everthing is fine. If not, everthing breaks
immediately.
Regards,
Daniel
Am 16.02.2012 um 13:33 schrieb Andres Riancho:
> sends a string of bytes back to you in the HTTP response.
>
>> Do you have some code / a example where those exceptions usually appear in
>> the current w3af code?
>>
>> Regards,
>> Daniel
>>
>> Am 15.02.2012 um 22:06 schrieb Javier Andalia:
>>
>>> Hello Daniel,
>>>
>>> On Wed, Feb 15, 2012 at 5:11 PM, Daniel Zulla
>>> <daniel.zu...@googlemail.com> wrote:
>>>> What about switching over to Python3?
>>>> It solves the UnicodeDecodeException madness.
>>>
>>> Can you please be more specific? What exactly do you have in mind?
>>>
>>> Maybe I'm wrong, but the way I see it w3af would still
>>> receive/transmit encoded bytes so there's no way to skip the
>>> bytestring_to_unicode and unicode_to_bytestring conversions. Not even
>>> in py3k.
>>>
>>> Regards,
>>>
>>> Javier
>>
>>
>
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
