-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taras,
On 08/04/2012 04:50 PM, Taras wrote: > Andres, > >>> JFYI: currently I'm working on optimize xss&contect code to >>> pass wavsep unittests. >> >> Great stuff! I've been watching your SVN commits :) Specifically >> from the test_xss.py file, from the list of WAVSEP test cases, >> how many are passing? How many are we missing? > > As you have seen for the first I have added only tests for > GET-method XSS. I think POST tests are the same as GET in terms of where the data is echoed, but they add a form, change the method, etc. > From 32 tests w3af passes about 20. We have problems with JS event > handlers and VisualBasic (Is it still supported by IE?) cases :) Not sure if it is still supported, but I imagine that the context/techniques applied to vbs also cover some other edge case that might be important. >> Do you think we'll be able to cover them all? > IMHO, we have chances. That's very good news! >> Please don't forget about the false positive tests, which we >> should be able to pass too. > Agree. > >>> <html> <input type="button" value="ClickMe" onClick="var >>> customerName='PAYLOAD'"> </html> >>> >>> As you see here JS context is inside HTML attribute (JS event >>> handler) onlick. >> >> Oh wow, so you'll have to verify that you can break out of the ' >> context and then the " one! > Here we need to break only ' to escape from quoted string in nested > JS context to get possible XSS. Ohh, so you're going for: PAYLOAD: foo';alert(1) <input type="button" value="ClickMe" onClick="var customerName='foo';alert(1)'"> Instead of: PAYLOAD: foo'"><script>alert(1)</script><!-- <input type="button" value="ClickMe" onClick="var customerName='foo'"><script>alert(1)</script><!--'"> Or: PAYLOAD: foo'" onMouseOver="alert(1)" foo=" <input type="button" value="ClickMe" onClick="var customerName='foo'" onMouseOver="alert(1)" foo="'"> Makes sense, the first one is easier, exploitation is then left as an exercise for the user, >> Was your code designed to handle something like that? > Yes, I will create special contexts for this case. - -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlAdsAwACgkQLgy+VpPDRPMeqQCdFNQgr7ba+RdpTIiKBWW7I8jx 5XcAn3T8/Gm38LXLbuUQKm336Es4N6yc =fAeh -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
