Stephen, On Wed, May 2, 2012 at 10:44 AM, Stephen Breen <[email protected]> wrote: > I'll definitely take a look at the parameter pollution plugin, sounds > interesting and I haven't heard of that issue before.
Great! > I did look at the existing wordpress plugins and wasn't sure this would fit > into any of them. On second thought, it could probably be an extension to > wordpress_fingerprint since it is just fingerprinting themes and checking > for some vulnerabilities. Even if the plugin you wrote can be part of wordpress_fingerprint, don't forget to send it to the mailing list, it might have some very cool techniques as-is and we can learn from them. > Thanks for pointing out the ria_enumerator plugin, I hadn't even noticed it, > it covers exactly the same issue I had written my plugin for. I had kind of > thought that the scope for the crossdomain.xml checking plugin I had written > was a little too narrow anyways. When you're in doubt if w3af has a plugin that does XYZ, the best thing is to: $ cd w3af/ $ cd plugins/ $ grep XYZ * -Rsi > > On Wed, May 2, 2012 at 9:52 AM, Andres Riancho <[email protected]> > wrote: >> >> Stephen, >> >> Please read inline, >> >> On Tue, May 1, 2012 at 6:16 PM, Stephen Breen <[email protected]> >> wrote: >> > Hi, I've recently started using the w3af scanner and love it! >> >> Always good to hear that :) >> >> > I'd like to >> > contribute some code to the project and am wondering how to go about >> > this? >> >> A week ago or so I sent an email to the w3af-users and >> w3af-develop mailing list asking for contributors for writing an HTTP >> Parameter Pollution plugin: >> >> http://www.mail-archive.com/[email protected]/msg00911.html >> >> Maybe you want to start with that? I offer all my guidance with it :) >> >> > I've written 2 new discovery plugins; one is a wordpress theme auditor. >> > Many >> > wordpress vulnerabilities are theme specific, this plugin finds the >> > running >> > theme on a blog, attempts to find installed but not running themes by >> > enumerating popular theme names from a list and for any themes found, >> > runs >> > tests to see if they are vulnerable to common vulnerabilities. Right now >> > I >> > have all of the Woo themes in the theme list and it checks for a new >> > vulnerability that is common to all of them (WooThemes shortcode >> > vulnerability). It is very easy to extend to new themes and >> > vulnerabilities >> > and I plan on adding more. >> >> That sounds great! Have you read our existing wordpress plugins? >> Ctrl+F wordpress here [0] and you might find some interesting stuff. >> In the meanwhile, why don't you send your code to this mailing list so >> we can all review it? I would recommend opening a new thread with >> subject "Wordpress vulnerability detection - WooThemes" or something >> similar. >> >> [0] https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery >> >> > The second is another discovery plugin that looks for misconfigured >> > adobe >> > crossdomain.xml files. Details on this problem can be found here >> > >> > http://jeremiahgrossman.blogspot.ca/2008/05/crossdomainxml-invites-cross-site.html >> >> In this case, please take a look at [1] since we already have >> something in place but it might require an update / review on the >> techniques used. >> >> [1] >> https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/discovery/ria_enumerator.py >> >> > Thanks! >> > >> > >> > ------------------------------------------------------------------------------ >> > Live Security Virtual Conference >> > Exclusive live event will cover all the ways today's security and >> > threat landscape has changed and how IT managers can respond. >> > Discussions >> > will include endpoint security, mobile security and the latest in >> > malware >> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> > _______________________________________________ >> > W3af-develop mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-develop
