Re: [W3af-develop] XSS ideas

Sun, 08 Jul 2012 11:39:46 -0700 

On 06/30/2012 11:46 AM, Taras wrote:
> 2all, just want to say that now we are passed all our XSS tests.
>
> ./test.sh
> nose.config: INFO: Ignoring files matching ['^\\.', '^_', '^setup\\.py$']
> w3af is officially supported under Python 2.6
> test_all (core.data.context.tests.test_context.TestContext) ... passed
> test_html_inside_js (core.data.context.tests.test_context.TestContext) 
> ... passed
> test_payload (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_double_script 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_html_inside_comment 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_html_inside_script_with_comment 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_script_broken_double_close 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_script_broken_double_open 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_script_single_quote 
> (core.data.context.tests.test_context.TestContext) ... passed
> test_payload_text_can_break 
> (core.data.context.tests.test_context.TestContext) ... passed
>
> -----------------------------------------------------------------------------
> 10 tests run in 0.3 seconds (10 tests passed)
>
>
>
> Now time for WAVSEP! :)
>
> On 06/27/2012 11:31 AM, Taras wrote:
>> Steve,
>>
>>> You may wish to look at how both arachni and ZAP handle this problem, as
>>> they both now detect 100% of the XSS part of the WAVSEP benchmark.
>> I will look on these tools, thanks!
>>
>>> (I must admit I have some concerns with using REGEX to do the job
>>> instead of a real parser for both false positives and false negatives.)
>>>
>>> Steve

I haven't looked at the code (is it checked in somewhere?), but an
alternative route that does not use regexps for context detection is to
base the parser on HTMLParser.HTMLParser, as was done in
http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00828.html
. Would be interesting to see a comparison on performance between these
two approaches, also with regards to malformed html and stuff. Anyway,
good work!

/Martin



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to