Am 11.04.2012 17:50, schrieb Andres Riancho:
...
> Let me explain what is going on here and what your patch is doing:
> #1 In the current trunk version, w3af's webSpider is parsing the
> index.php file you sent and identifies many links, most of them
> variants of each other. Before returning them to the w3afCore the
> webSpider uses the variant_db class and MAX_VARIANTS to define if
> enough variants of that link have been analyzed. If there are not
> enough then the variant needs to be analyzed so it is returned to the
> core. Given that MAX_VARIANTS is 40 [Note: I changed this to 5 in the
> latest commit.], the webSpider returns all/most of the links in your
> index.php to the core.
>
> a) This makes sense, since a link to a previously unknown section
> might be present in "article.php?id=25" and NOT present in
> "article.php?id=35", so w3af needs to make a choice on how many of
> those variants are going to be analyzed and how many are going to be
> left out.
>
> b) The same happens with vulnerabilities, there might be a
> vulnerability in the foo parameter of "article.php?id=28&foo=bar" when
> the id=28 and the vulnerability might NOT be present when the id is
> 32.
This observation is similar to what I reported in thread:
Subject: XSS not detected
However, you descibe the spider part here. I'd suggest that it also
honors predifined and/or additional given parameters.
...
> Maybe we could have different scan strategies, or change MAX_VARIANTS
> to be a user defined parameter, or... (please send your ideas).-
Sounds perfect.
But please don't forget to make a simple good documentation so that users
may find such advanced tricks :)
Ciao
Achim
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
