Daniel,
On Thu, Feb 16, 2012 at 10:07 AM, Daniel Zulla
<daniel.zu...@googlemail.com> wrote:
> I have analyzed some closed source vulnerability scanners, and audited open
> source scanners like skipfish.
> Some of them are ironically vulnerable. Somebody may create an apache2 module
> that recognizes attacks in order to force penetration testers' software to
> crash (or worse, e.g. to execute arbitrary code).
All software has vulnerabilities, it's in their nature :)
> errors=ignore or errors=replace may be a nice way to go, but - here are my
> two cents:
> Treating HTTP Responses as an UnidentifiedChunkOfPossiblyMaliciousData" as
> long as possible is definitely the right way to go.
Don't really. As soon as the byte string enters w3af, the best
thing to do is to decode it using the best encoding available (the one
in Content-Encoding header, or some other we might have in the HTTP
response) and after that all the rest of w3af's code simply forgets
about encodings and uses the unicode string.
> I haven't audited or reviewed the httplib, but the "from_httplib_resp"
> method, looks extremely vulnerable:
Vulnerable to what?
> resp = httplibresp
> code, msg, hdrs, body = (resp.code, resp.msg, resp.info(), resp.read())
>
> if original_url:
> url_inst = url_object(resp.geturl(), original_url.encoding)
> else:
> url_inst = original_url = url_object(resp.geturl())
>
> charset = getattr(httplibresp, 'encoding', None)
> return httpResponse(code, body, hdrs, url_inst,
> original_url, msg, charset=charset)
>
> I am just skeptical about assuming that the response of a webserver is valid
> HTTP.
We're not assuming that, if the response is not HTTP then httplib,
or urllib, or urllib2 (don't really know which one) will fail and
raise an exception.
> That's why i mentioned py3k - it's exactly how Python3 handles external data:
> Everything is a ChunkOfUnidentified data until it gets converted to a string.
> If it's a string, it's Unicode and everthing is fine. If not, everthing
> breaks immediately.
Could you explain me a little bit more about this? I tried to
google for ChunkOfUnidentified or ChunkOfUnidentifiedData and found
nothing.
>
> Regards,
> Daniel
>
> Am 16.02.2012 um 13:33 schrieb Andres Riancho:
>
>> sends a string of bytes back to you in the HTTP response.
>>
>>> Do you have some code / a example where those exceptions usually appear in
>>> the current w3af code?
>>>
>>> Regards,
>>> Daniel
>>>
>>> Am 15.02.2012 um 22:06 schrieb Javier Andalia:
>>>
>>>> Hello Daniel,
>>>>
>>>> On Wed, Feb 15, 2012 at 5:11 PM, Daniel Zulla
>>>> <daniel.zu...@googlemail.com> wrote:
>>>>> What about switching over to Python3?
>>>>> It solves the UnicodeDecodeException madness.
>>>>
>>>> Can you please be more specific? What exactly do you have in mind?
>>>>
>>>> Maybe I'm wrong, but the way I see it w3af would still
>>>> receive/transmit encoded bytes so there's no way to skip the
>>>> bytestring_to_unicode and unicode_to_bytestring conversions. Not even
>>>> in py3k.
>>>>
>>>> Regards,
>>>>
>>>> Javier
>>>
>>>
>>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
