Taras, On Fri, Jul 20, 2012 at 7:33 AM, Taras <ox...@oxdef.info> wrote: > Martin, > > thanks for pointing on this letter! > >> I haven't looked at the code (is it checked in somewhere?), but an >> alternative route that does not use regexps for context detection is to >> base the parser on HTMLParser.HTMLParser, as was done in >> http://www.mail-archive.com/w3af-develop@lists.sourceforge.net/msg00828.html > Nice job! We have this talk in 2010 and only currently we are getting > closer to solution! 2 years... :(
It's open source, nobody can blame us ;) >> Would be interesting to see a comparison on performance between these >> two approaches, also with regards to malformed html and stuff. Anyway, >> good work! > What I'm really afraid of is malformed html. For modern browser it is > not problem but for HTMLparser it could. For example, handling such > thing like <<aaaa>foo</aaaa> Your context code is prone to broken HTML, but I think it's not something we should care about because we have to be VERY unlucky to get hit by something like that. For example, if the HTML looks like this: <<html> <div> <a href="foo">XSS HERE</a> </div> </html> It doesn't matter, because the broken part is "so far away from the vulnerable section" that it won't break the algorithm. Even this will work (I guess): <html> <div> <<a href="foo">XSS HERE</a> </div> </html> And these: <a href="foo">XSS HERE</a>> <a href="foo">XSS HERE<//a> So... lets not worry about it for now, Regards, > -- > Taras > http://oxdef.info > GPG: C8D1F510 > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
