Stephen,
Please read inline,
On Tue, May 1, 2012 at 6:16 PM, Stephen Breen <breen.mach...@gmail.com> wrote:
> Hi, I've recently started using the w3af scanner and love it!
Always good to hear that :)
> I'd like to
> contribute some code to the project and am wondering how to go about this?
A week ago or so I sent an email to the w3af-users and
w3af-develop mailing list asking for contributors for writing an HTTP
Parameter Pollution plugin:
http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00911.html
Maybe you want to start with that? I offer all my guidance with it :)
> I've written 2 new discovery plugins; one is a wordpress theme auditor. Many
> wordpress vulnerabilities are theme specific, this plugin finds the running
> theme on a blog, attempts to find installed but not running themes by
> enumerating popular theme names from a list and for any themes found, runs
> tests to see if they are vulnerable to common vulnerabilities. Right now I
> have all of the Woo themes in the theme list and it checks for a new
> vulnerability that is common to all of them (WooThemes shortcode
> vulnerability). It is very easy to extend to new themes and vulnerabilities
> and I plan on adding more.
That sounds great! Have you read our existing wordpress plugins?
Ctrl+F wordpress here [0] and you might find some interesting stuff.
In the meanwhile, why don't you send your code to this mailing list so
we can all review it? I would recommend opening a new thread with
subject "Wordpress vulnerability detection - WooThemes" or something
similar.
[0] https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery
> The second is another discovery plugin that looks for misconfigured adobe
> crossdomain.xml files. Details on this problem can be found here
> http://jeremiahgrossman.blogspot.ca/2008/05/crossdomainxml-invites-cross-site.html
In this case, please take a look at [1] since we already have
something in place but it might require an update / review on the
techniques used.
[1]
https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery/ria_enumerator.py
> Thanks!
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
