List,
I'm glad to announce that w3af can now detect 100% of the XSS
vulnerabilities in WAVSEP!
As part of the "Improve w3af's score for WAVSEP XSS by at least
20%" [0] task, I completely rewrote (twice) the context detection
engine originally developed by Taras. The new engine has the following
improvements:
* Code is easier to read
* Context detection false positive is reduced (But can still be
improved by migrating from HTMLParser to lxml)
* Added JavaScript sub-parser
* Added CSS sub-parser
I've also added new payloads to the XSS plugin which were required
to "break out" of the new contexts we're identifying.
These changes are part of the "develop" branch, just switch to the
branch using "git checkout develop" and enjoy the new features (bug
reports are always welcome!).
For those who love to read code, you'll find most of the changes here [1]
Enjoy!
[0] https://github.com/andresriancho/w3af/issues/37
[1] https://github.com/andresriancho/w3af/tree/develop/w3af/core/data/context
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
