Achim, On Mon, May 20, 2013 at 1:09 PM, Achim Hoffmann <webse...@sic-sec.org> wrote: > Hi Andrés, > > sounds like fuzzer.py is what I asked for. Thanks.
Good to hear, > Questions now are: > 1. how can a private file be used there? w3af is pluggable up to some extent, I didn't design it to be able to have multiple fuzzers. While this wouldn't take much time to implement, it's not in my roadmap at the moment. I would say that if you want to have a private version of that fuzzer.py file, you'll have to either do the refactoring yourself to "expose a fuzzer api to the w3af core" or more simply, overwrite my version with yours :) > 2. how to use a dynamically generated file there? What do you mean by dynamically generated file? I wouldn't generate python code dynamically, at least not for this. I would extend the misc-settings to configure the fuzzer and have decent defaults. > Ciao, > Achim > > > Am 15.05.2013 15:41, schrieb Andres Riancho: >> Achim, >> >> On Wed, May 15, 2013 at 9:53 AM, Achim Hoffmann <webse...@sic-sec.org> wrote: >>> Hi all, >>> >>> I'm searching for a plugin which can multiple encode a payload. >>> Does such a thing exist in w3af? >> >> No, it doesn't. w3af doesn't play with encoding as much as it should. >> >> As a side note, I think I wouldn't implement this as a plugin, I would >> add it in the create_mutants function [0]. This function takes >> fuzzable requests as input and outputs modified requests. Example: >> >> Input: >> - http://host.tld/foo?id=1 >> - [payload1, payload2] >> >> Output: >> - http://host.tld/foo?id=payload1 >> - http://host.tld/foo?id=payload2 >> >> If you read [0] you'll notice that it would be a good idea to add a >> fuzzer_config (see: _get_fuzzer_config) where the user can configure >> at a framework wide level the "encoding depth". By default I would set >> it to zero: only use the regular RFC required encoding. >> >> If create_mutants is modified, it would be possible to have it output >> something like: >> - http://host.tld/foo?id=payload1 >> - http://host.tld/foo?id=payload2 >> - http://host.tld/foo?id=encodeEntity(payload1) >> - http://host.tld/foo?id=encodeEntity(payload2) >> .... >> - http://host.tld/foo?id=encodeEntity(encodeURL(encodeURL(payload1))) >> - http://host.tld/foo?id=encodeEntity(encodeURL(encodeURL(payload2))) >> >> This would be a good thing to have, and the implementation at this >> level will affect all plugins which use the create_mutants function >> (all which send payloads if I'm not mistaken). Create mutants also >> mutates the path (as in your /path/foo<u>xss/other example), >> post-data, etc. >> >> [0] >> https://github.com/andresriancho/w3af/blob/master/core/data/fuzzer/fuzzer.py >> >> >>> The idea is as follows: >>> given the url like >>> >>> /path/foo<u>xss/other >>> >>> I want to test these variants: >>> >>> /path/foo<u>xss/other >>> /path/foo%3Cu%3Exss/other >>> /path/foo%253cu%253exss/other >>> /path/foo%25253cu%25253exss/other >>> /path/foo%26%6C%74%3Bu%26%67%74%3Bxss/other >>> /path/foo%26%6C%74%3B%75%26%67%74%3Bxss/other >>> /path/foo%2526%256C%2574%253Bu%2526%2567%2574%253Bxss/other >>> /path/foo%3Cu%3Exss/other >>> /path/foo%253Cu%253Exss/other >>> >>> The idea (abstract) is like: >>> >>> encodeEntity(payload) >>> encodeURL(payload) >>> encodeURL(encodeURL(payload)) >>> encodeURL(encodeURL(encodeURL(payload))) >>> encodeURL(encodeEntity(payload)) >>> encodeEntity(encodeURL(payload)) >>> encodeEntity(encodeURL(encodeURL(payload))) >>> >>> The payload can be anywhere in the URL, header or body. >>> Test in the URL at first glance will be great. >>> >>> Is there such a plugin, or one which can simply be extended? >>> >>> Any help appreciated >>> Achim >>> >>> >>> BTW, I already have a tool to generate such payloads in the browser >>> https://www.owasp.org/index.php/Category:OWASP_EnDe >>> you can nest the encoding functions how ever you like (see [Functions] >>> button) >>> >>> ------------------------------------------------------------------------------ >>> AlienVault Unified Security Management (USM) platform delivers complete >>> security visibility with the essential security capabilities. Easily and >>> efficiently configure, manage, and operate all of your security controls >>> from a single console and one unified framework. Download a free trial. >>> http://p.sf.net/sfu/alienvault_d2d >>> _______________________________________________ >>> W3af-develop mailing list >>> W3af-develop@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
