Hey Andres, I've been reading over the plugin descriptions. Under the Discovery Plugins, the urlfuzzer may have a bit of problem due to the assumption that anything not a 404 will be a new url. When I was doing a manual test on a site (not using w3af), I noticed that my guessing of urls based on looking for old and bak filenames returned responses that weren't 404. Howver they didn't really exist. They actually returned a 302, and set of custom error pages, including just a blank body with the site's header bar. In view of that, maybe a 302 response should be treated as equivalent to a 404, or the tester may be prompted to include the particular page as a "false postive" page?
Wayne Wayne Dawson, Security Analyst Inventure Solutions Inc | A Vancity Company www.inventuresolutions.com 4th Fl - 183 Terminal Avenue, Vancouver, BC V6A 4G2 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
