[W3af-develop] SWF Link extraction

Thu, 01 Mar 2012 18:09:42 -0800 

Javier,

    I was looking into our SWF link extractor after following one of
my TODOs and found:

        # FIXME: Jan 2012, JAP - Now this method does nothing. Extracting
        # urls from a compiled flash leads to serious encoding issues
        # while performing scans. The definite solution is to decompile
        # swf files and decode the proper substrings (urls in swf files
        # are found in specific sections) using the proper encoding name.
        ##self._regex_url_parse(swf_body)
        pass

    After that, I went to "_regex_url_parse" and found that encoding
issues seem to be properly handled there by pieces of code like:

"""
            try:
                decoded_url = url_object(self._decode_url(url[0]),
                                         encoding=self._encoding)
            except ValueError:
                pass
            else:
                re_urls.add(decoded_url)
"""

    And,

"""
                try:
                    url = self._baseUrl.urlJoin(match_str).url_string
                    url = url_object(self._decode_url(url),
                                     encoding=self._encoding)
                except ValueError:
                    # In some cases, the relative URL is invalid and
triggers an
                    # ValueError: Invalid URL "%s" exception. All we
can do at this
                    # point is to ignore this "fake relative URL".
                    pass
"""

    The only drawback I see in this code is that we're using
"self._encoding" as the encoding (which according to baseparser.py
comes from httpResponse.getCharset) and that might be incorrect or
even non-existant because an HTTP response that contains a SWF will
not have a Content-Type with a charset (just assuming that). You
mentioned a while ago that SWF internally and by default uses UTF-8 ?

    Also, could you please explain to me why we would get serious
encoding issues if the ValueError is handled?

    Thanks!

Regards,
-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to