@Martin: Any comments on the code? @Taras: Where do we stand on this? Are we ready to merge to trunk? I'm very unhappy about this result [0] (which I know is my fault because of implementing such a basic XSS test in the first place) and I would love to see those numbers change and us move to the Top5
[0] http://sectoolmarket.com/reflected-cross-site-scripting-detection-accuracy-unified-list.html On Sun, Jul 8, 2012 at 5:06 PM, Andres Riancho <andres.rian...@gmail.com> wrote: > Martin, > > Here is the code, if you've got the time we would love to hear > your comments: > > http://sourceforge.net/apps/trac/w3af/browser/branches/xss/plugins/audit/xss.py > > One of the most important parts is the context module. > > Regards, > > On Sun, Jul 8, 2012 at 3:18 PM, Martin Holst Swende <mar...@swende.se> wrote: >> On 06/30/2012 11:46 AM, Taras wrote: >> >> 2all, just want to say that now we are passed all our XSS tests. >> >> ./test.sh >> nose.config: INFO: Ignoring files matching ['^\\.', '^_', '^setup\\.py$'] >> w3af is officially supported under Python 2.6 >> test_all (core.data.context.tests.test_context.TestContext) ... passed >> test_html_inside_js (core.data.context.tests.test_context.TestContext) >> ... passed >> test_payload (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_double_script >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_html_inside_comment >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_html_inside_script_with_comment >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_script_broken_double_close >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_script_broken_double_open >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_script_single_quote >> (core.data.context.tests.test_context.TestContext) ... passed >> test_payload_text_can_break >> (core.data.context.tests.test_context.TestContext) ... passed >> >> ----------------------------------------------------------------------------- >> 10 tests run in 0.3 seconds (10 tests passed) >> >> >> >> Now time for WAVSEP! :) >> >> On 06/27/2012 11:31 AM, Taras wrote: >> >> Steve, >> >> You may wish to look at how both arachni and ZAP handle this problem, as >> they both now detect 100% of the XSS part of the WAVSEP benchmark. >> >> I will look on these tools, thanks! >> >> (I must admit I have some concerns with using REGEX to do the job >> instead of a real parser for both false positives and false negatives.) >> >> Steve >> >> >> I haven't looked at the code (is it checked in somewhere?), but an >> alternative route that does not use regexps for context detection is to base >> the parser on HTMLParser.HTMLParser, as was done in >> http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00828.html >> . Would be interesting to see a comparison on performance between these two >> approaches, also with regards to malformed html and stuff. Anyway, good >> work! >> >> /Martin >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
