Andres, > Minor comments: > > * The help doesn't seem to be enough for a novice user that won't > ever read the source code (talking about h17). I would explain it a > little bit better Fixed
> > * The doctest looks good, but I would add some "integration test" > to it also. Something that will: > - Define a PHP script to be added to moth that has 5 repeated > parameter names, vulnerable to XSS in all 5 Done > - Define a new test (possibly in plugins/tests/test_xss.py) > that will scan that PHP script with different fuzzRepeatedParameters > settings: > - If tmb then only 3 vulnerabilities should be found in the KB > - If t / m / b then only 1 vulnerability should be found in the > KB > - If all then 5 vulnerabilities should be found in the KB > > That final test would make sure that we don't break this feature in > the future; which has happen one to many times with w3af :( > > Please note that I insist with unittests a lot; and it's not just > words. I've added hundreds of new unit-tests to w3af in the last > months! Feel free to read plugins/tests/ :) How can I set up misc-settings in test? I haven't found it in plugins/tests :( > > Regards, > >> [0] https://sourceforge.net/apps/trac/w3af/changeset/5110 >> >> >> On 06/11/2012 03:28 AM, Andres Riancho wrote: >>> >>> Taras, >>> >>> On Sat, Jun 9, 2012 at 5:52 AM, Taras<ox...@oxdef.info> wrote: >>>> >>>> In previous letter I suggest to have option fuzzRepeatedParameters with >>>> only >>>> two states on/off. But if we really want to have more complex behavior >>>> here >>>> we can do it in same way as already exist option fuzzFormComboValues >>>> which >>>> indicates what HTML form combo values w3af plugins will use: all, >>>> t(op)b(ottom), t(op)m(iddle)b(ottom), t(op), b(ottom). >>> >>> >>> hehehe, I just read this email. Ok, so lets do it like that :) Are you >>> going to create a new branch for this? Please remember to add >>> unittests to your code in order to make sure it works as expected and >>> doesn't break anything else. >>> >>> Regards, >>> >>>> >>>> On 06/08/2012 05:50 PM, Stephen Breen wrote: >>>>> >>>>> >>>>> I think your idea of having an upper limit on N is good, the problem is >>>>> deciding on what the limit should be and which values should be >>>>> included. >>>>> >>>>> The problem with ignoring some of the repeated parameters is that some >>>>> languages will actually make use of them all, eg: >>>>> http://foo.com/test.php?a=1&a=2&a=3...&a=N >>>>> <http://foo.com/test.php?a=1&a=2&a=3...&a=N> on the backend will >>>>> produce >>>>> an array a[0..N-1]. Some applications will just use a[0], some might use >>>>> the whole array, some use a[N-1], some can error out, it is not always >>>>> easy to determine what is going on. >>>>> >>>>> For languages where only 1 of the parameters is passed to the backend, >>>>> it is not always obvious which one it is, eg: >>>>> http://foo.com/test.php?a=1&a=2&a=3...&a=N >>>>> <http://foo.com/test.php?a=1&a=2&a=3...&a=N> here the backend will >>>>> usually receive a=1 or a=N, it depends on the language used. If we >>>>> ignore the Nth parameter, we could be missing out on the value that the >>>>> application is truly using. This could be a problem when building a >>>>> fuzzable request that is appending to the current value of the >>>>> parameter. >>>>> >>>>> My suggestion if a performance fix is to be implemented for this would >>>>> be to make sure you keep at least the first and last occurrence of the >>>>> parameter. >>>>> >>>>> Also, sorry I've been so slow on the parameter pollution plugin, going >>>>> through a bit of a career change (application penetration testing :) >>>> >>>> >>>> >>>> Congrats! :) >>>> >>>>> )band have been really busy with that. >>>>> >>>>> >>>>> On Fri, Jun 8, 2012 at 9:42 AM, Taras<ox...@oxdef.info >>>>> <mailto:ox...@oxdef.info>> wrote: >>>>> >>>>> Andres, >>>>> >>>>> I see some work on implementing Parameter Pollution Plugin for w3af. >>>>> Just want to point on performance problem in similar area. Currently >>>>> w3af don't know anything about repeated parameters in query string >>>>> and >>>>> post data, e.g. http://foo.com/test.php?a=1&a=2&a=3...&a=N >>>>> <http://foo.com/test.php?a=1&a=2&a=3...&a=N>. >>>>> >>>>> After grabbing such fuzzrequests w3af will try to audit them (create >>>>> mutants and so on) and will inject payload **sequentially** from 1 to >>>>> N: >>>>> >>>>> http://foo.com/test.php?a=XSS&a=2&a=3...&a=N >>>>> <http://foo.com/test.php?a=XSS&a=2&a=3...&a=N>. >>>>> http://foo.com/test.php?a=1&a=XSS&a=3...&a=N >>>>> <http://foo.com/test.php?a=1&a=XSS&a=3...&a=N>. >>>>> http://foo.com/test.php?a=1&a=2&a=XSS...&a=N >>>>> <http://foo.com/test.php?a=1&a=2&a=XSS...&a=N>. >>>>> http://foo.com/test.php?a=1&a=2&a=3...&a=XSS >>>>> <http://foo.com/test.php?a=1&a=2&a=3...&a=XSS>. >>>>> >>>>> >>>>> Imho, it is useless and takes a lot of time even when N is not really >>>>> big number, e.g. N=20 >>>>> >>>>> So where we can fix it? in _createMutantsWorker? May be we will add >>>>> some >>>>> limit? >>>>> >>>>> On 05/15/2012 07:27 PM, Stephen Breen wrote: >>>>> > I did, the most efficient way I could think to do it required >>>>> the >>>>> > following changes to dataContainer.py and queryString.py. >>>>> Basically all >>>>> > I did was add a _safeEncodeChars field to the dataContainer and >>>>> make >>>>> > sure it was used when doing URL encoding: >>>>> > >>>>> > Index: core/data/dc/dataContainer.py >>>>> > >>>>> =================================================================== >>>>> > --- core/data/dc/dataContainer.py (revision 5002) >>>>> > +++ core/data/dc/dataContainer.py (working copy) >>>>> > @@ -38,7 +38,7 @@ >>>>> > >>>>> > super(DataContainer, self).__init__() >>>>> > self.encoding = encoding >>>>> > - >>>>> > + self._safeEncodeChars = '' >>>>> > if isinstance(init_val, DataContainer): >>>>> > self.update(init_val) >>>>> > elif isinstance(init_val, dict): >>>>> > @@ -80,7 +80,7 @@ >>>>> > >>>>> > @return: string representation of the DataContainer >>>>> Object. >>>>> > ''' >>>>> > - return enc_dec.urlencode(self, encoding=self.encoding) >>>>> > + return enc_dec.urlencode(self, >>>>> > encoding=self.encoding,safe=self._safeEncodeChars) >>>>> > >>>>> > def __unicode__(self): >>>>> > ''' >>>>> > >>>>> > >>>>> > Index: core/data/dc/queryString.py >>>>> > >>>>> =================================================================== >>>>> > --- core/data/dc/queryString.py (revision 5002) >>>>> > +++ core/data/dc/queryString.py (working copy) >>>>> > @@ -43,4 +43,4 @@ >>>>> > >>>>> > @return: string representation of the QueryString >>>>> object. >>>>> > ''' >>>>> > - return enc_dec.urlencode(self, encoding=self.encoding, >>>>> safe='') >>>>> > \ No newline at end of file >>>>> > + return enc_dec.urlencode(self, encoding=self.encoding, >>>>> > safe=self._safeEncodeChars) >>>>> > \ No newline at end of file >>>>> > >>>>> > In my audit plugin, to avoid encoding the % character I do this >>>>> before I >>>>> > create the mutants: >>>>> > >>>>> > def audit(self, freq): >>>>> > dc = freq.getDc() >>>>> > dc._safeEncodeChars +='%' >>>>> > for param in dc: >>>>> > mutants = >>>>> createMutants(freq,['%26ZJkL%3DNrZp'],True,[param]) >>>>> > >>>>> > After these changes it works MOST of the time. When I give w3af >>>>> a >>>>> URL >>>>> > with a bunch of parameters, it generates 2 fuzzable requests if >>>>> no >>>>> > discovery plugins are used; one request is the URL I provided, >>>>> one has >>>>> > parameters that w3af seemed to pick randomly. For some reason >>>>> the >>>>> > safeEncodeChars are ignored for the request w3af created. To fix >>>>> this I >>>>> > had to add the % character to the default safe characters of the >>>>> > urlencode function. I don't like this fix very much and would >>>>> like >>>>> to >>>>> > figure out why it is necessary but here is the diff that makes >>>>> it >>>>> work >>>>> > for now: >>>>> > >>>>> > Index: core/data/parsers/encode_decode.py >>>>> > >>>>> =================================================================== >>>>> > --- core/data/parsers/encode_decode.py (revision 5002) >>>>> > +++ core/data/parsers/encode_decode.py (working copy) >>>>> > @@ -71,7 +71,7 @@ >>>>> > return CHAR_REF_PATT.sub(entitydecode, text) >>>>> > >>>>> > >>>>> > -def urlencode(query, encoding, safe='/<>"\'=:()'): >>>>> > +def urlencode(query, encoding, safe='/<>"\'=:()%'): >>>>> > ''' >>>>> > This is my version of urllib.urlencode. It adds "/" as a >>>>> safe >>>>> > character >>>>> > and also adds support for "repeated parameter names". >>>>> > >>>>> > >>>>> > On Tue, May 15, 2012 at 11:45 AM, Andres Riancho >>>>> > <andres.rian...@gmail.com<mailto:andres.rian...@gmail.com> >>>>> <mailto:andres.rian...@gmail.com<mailto:andres.rian...@gmail.com>>> >>>>> >>>>> wrote: >>>>> > >>>>> > Stephen, >>>>> > >>>>> > On Sat, May 12, 2012 at 3:31 PM, Stephen Breen >>>>> > <breen.mach...@gmail.com<mailto:breen.mach...@gmail.com> >>>>> <mailto:breen.mach...@gmail.com<mailto:breen.mach...@gmail.com>>> >>>>> >>>>> wrote: >>>>> > > After comparing the browser and w3af requests/responses in >>>>> > wireshark I was >>>>> > > able to figure it out. When I send the request: >>>>> > > http://www.example.com/?x=abc%26ZJkL%3DNrZp >>>>> > > In w3af it is being converted to: >>>>> > > http://www.example.com/?x=abc%2526ZJkL%253DNrZp >>>>> > > >>>>> > > i.e. my '%' characters are being url encoded into a '%25'. >>>>> > >>>>> > Did you find the way to avoid that "double encoding" >>>>> issue? >>>>> > >>>>> > > >>>>> > > On Wed, May 9, 2012 at 6:08 PM, Stephen Breen >>>>> > <breen.mach...@gmail.com<mailto:breen.mach...@gmail.com> >>>>> <mailto:breen.mach...@gmail.com<mailto:breen.mach...@gmail.com>>> >>>>> >>>>> > > wrote: >>>>> > >> >>>>> > >> "Forgive me, I don't have the time to be brief" -- >>>>> unfortunately >>>>> > this is >>>>> > >> going to be a longish one. >>>>> > >> >>>>> > >> I'm confused about an issue I've been having trying to >>>>> detect >>>>> > client side >>>>> > >> parameter pollution vulnerabilities. Been stuck on this >>>>> for a >>>>> while. >>>>> > >> >>>>> > >> What I'm doing is for each parameter in a request, you >>>>> inject >>>>> an >>>>> > innocuous >>>>> > >> parameter, for example if the request were: >>>>> > >> http://www.example.com/?x=abc&y=xyz >>>>> <http://www.example.com/?x=abc&y=xyz> >>>>> > <http://www.example.com/?x=abc&y=xyz >>>>> <http://www.example.com/?x=abc&y=xyz>> >>>>> > >> >>>>> > >> We could inject the parameter ZJkl=NrZp like so: >>>>> > >> http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz >>>>> <http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz> >>>>> > <http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz >>>>> <http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz>> >>>>> > >> http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp >>>>> <http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp> >>>>> > <http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp >>>>> <http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp>> >>>>> > >> >>>>> > >> Then we examine the response from each of those requests >>>>> and >>>>> > check if >>>>> > >> there are any links in the response that contain our >>>>> injected >>>>> > parameter, so >>>>> > >> for example, in the response body if we found the >>>>> following, >>>>> it >>>>> > would mean >>>>> > >> the "x" parameter is vulnerable to parameter pollution: >>>>> > >> http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz >>>>> <http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz> >>>>> > <http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz >>>>> <http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz>> >>>>> > >> >>>>> > >> If this is the case, then we can use the fact that a >>>>> server >>>>> will >>>>> > discard a >>>>> > >> duplicate parameter and use either the first or second >>>>> occurrence to >>>>> > >> overwrite other parameters in the requests for the forms >>>>> and >>>>> > links on the >>>>> > >> page. >>>>> > >> >>>>> > >> The problem I am having is that while my browser (firefox) >>>>> will >>>>> > return >>>>> > >> responses containing things like: >>>>> > >> http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz >>>>> <http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz> >>>>> > <http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz >>>>> <http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz>> >>>>> > >> >>>>> > >> When I use sendMutant or urlOpener.GET, the same request >>>>> will >>>>> > result in >>>>> > >> the URL in the response looking like this: >>>>> > >> http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz >>>>> <http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz> >>>>> > <http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz >>>>> <http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz>> >>>>> > >> >>>>> > >> The characters are not being decoded and I have no idea >>>>> why! >>>>> I >>>>> > thought >>>>> > >> that the decoding would be done on the server side, is >>>>> this >>>>> done >>>>> > in the >>>>> > >> browser? Does that mean these vulnerabilities will be >>>>> browser >>>>> > specific? I'm >>>>> > >> really not sure how this works behind the scenes. >>>>> > >> >>>>> > >> For a real example of this vulnerability I've been using >>>>> the >>>>> > following URL >>>>> > >> for testing: >>>>> > >> >>>>> > >> >>>>> > >>>>> >>>>> >>>>> >>>>> http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in >>>>> >>>>> >>>>> >>>>> <http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in> >>>>> > >>>>> >>>>> >>>>> >>>>> <http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in >>>>> >>>>> >>>>> >>>>> <http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in>> >>>>> > >> >>>>> > >> If you look at the links to "More Search Results 1,2,3" >>>>> etc... >>>>> > on the >>>>> > >> bottom of the page, you will see that the parameter >>>>> ZJkL=NrZp >>>>> > has been >>>>> > >> injected into the links. >>>>> > >> >>>>> > >> Thanks! >>>>> > >> >>>>> > >> >>>>> > >> On Wed, May 2, 2012 at 11:02 PM, Andres Riancho >>>>> > <andres.rian...@gmail.com<mailto:andres.rian...@gmail.com> >>>>> <mailto:andres.rian...@gmail.com<mailto:andres.rian...@gmail.com>>> >>>>> >>>>> > >> wrote: >>>>> > >>> >>>>> > >>> Stephen, >>>>> > >>> >>>>> > >>> On Wed, May 2, 2012 at 4:10 PM, Stephen Breen >>>>> > <breen.mach...@gmail.com<mailto:breen.mach...@gmail.com> >>>>> <mailto:breen.mach...@gmail.com<mailto:breen.mach...@gmail.com>>> >>>>> >>>>> > >>> wrote: >>>>> > >>> > In case anyone else is interested in this, someone >>>>> else >>>>> has >>>>> > already >>>>> > >>> > created >>>>> > >>> > a system to scan and detect HTTP parameter pollution >>>>> > vulnerabilities. >>>>> > >>> > They >>>>> > >>> > don't provide the source for their tool but it can >>>>> be >>>>> found >>>>> here: >>>>> > >>> > http://papas.iseclab.org/cgi-bin/index.py >>>>> > >>> > >>>>> > >>> > Their paper describing how it works can be found >>>>> here: >>>>> > >>> > http://www.iseclab.org/people/embyte/papers/hpp.pdf >>>>> > >>> > >>>>> > >>> > I plan on reading it and taking a shot at >>>>> implementation >>>>> as a >>>>> > w3af >>>>> > >>> > plugin. >>>>> > >>> >>>>> > >>> Great! For comparing HTTP response bodies (which I assume >>>>> > you'll have >>>>> > >>> to do) take a look at levenshtein.py >>>>> (relative_distance_boolean >>>>> > >>> function). >>>>> > >>> >>>>> > >>> Regards, >>>>> > >>> >>>>> > >>> > >>>>> > >>> > >>>>> > >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> > >>> > Live Security Virtual Conference >>>>> > >>> > Exclusive live event will cover all the ways today's >>>>> security and >>>>> > >>> > threat landscape has changed and how IT managers can >>>>> respond. >>>>> > >>> > Discussions >>>>> > >>> > will include endpoint security, mobile security and >>>>> the >>>>> latest in >>>>> > >>> > malware >>>>> > >>> > threats. >>>>> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> > >>> > _______________________________________________ >>>>> > >>> > W3af-develop mailing list >>>>> > >>> > W3af-develop@lists.sourceforge.net >>>>> <mailto:W3af-develop@lists.sourceforge.net> >>>>> > <mailto:W3af-develop@lists.sourceforge.net >>>>> >>>>> <mailto:W3af-develop@lists.sourceforge.net>> >>>>> > >>> > >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>> > >>> > >>>>> > >>> >>>>> > >>> >>>>> > >>> >>>>> > >>> -- >>>>> > >>> Andrés Riancho >>>>> > >>> Project Leader at w3af - http://w3af.org/ >>>>> > >>> Web Application Attack and Audit Framework >>>>> > >>> Twitter: @w3af >>>>> > >>> GPG: 0x93C344F3 >>>>> > >> >>>>> > >> >>>>> > > >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Andrés Riancho >>>>> > Project Leader at w3af - http://w3af.org/ >>>>> > Web Application Attack and Audit Framework >>>>> > Twitter: @w3af >>>>> > GPG: 0x93C344F3 >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> > Live Security Virtual Conference >>>>> > Exclusive live event will cover all the ways today's security >>>>> and >>>>> > threat landscape has changed and how IT managers can respond. >>>>> Discussions >>>>> > will include endpoint security, mobile security and the latest >>>>> in >>>>> malware >>>>> > threats. >>>>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > W3af-develop mailing list >>>>> > W3af-develop@lists.sourceforge.net >>>>> <mailto:W3af-develop@lists.sourceforge.net> >>>>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> -- >> Taras >> http://oxdef.info > > > -- Taras http://oxdef.info ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
