Wayne,
On Sun, Nov 30, 2008 at 11:22 AM, Wayne Dawson
<[EMAIL PROTECTED]> wrote:
> Hey Andres,
>
> I've been reading over the plugin descriptions. Under the Discovery Plugins,
> the urlfuzzer may have a bit of problem due to the assumption that anything
> not a 404 will be a new url. When I was doing a manual test on a site (not
> using w3af), I noticed that my guessing of urls based on looking for old and
> bak filenames returned responses that weren't 404. Howver they didn't really
> exist. They actually returned a 302, and set of custom error pages, including
> just a blank body with the site's header bar. In view of that, maybe a 302
> response should be treated as equivalent to a 404, or the tester may be
> prompted to include the particular page as a "false postive" page?
Actually, the description was a HEAVY simplification of the whole
process. Internally, the url fuzzer plugin (and all plugins actually)
use this logic:
if not self.is404( response ):
return True
Instead of something like:
if not response.getCode() != 404:
return True
What this means is that w3af performs automatic detection of 404 error
pages using the is404 method, which performs automatic detection of
404 pages, not based on the HTTP response code. In other words, w3af
should work as expected in the environment you mention, where you had
a 302 redirect.
Also, and because of your email, I changed the plugin description a
little bit, in order to make this clear for future readers. Please
perform a "svn up" in order to get the latest version of the plugin to
see if the new description matches my email and your expectations.
Thanks for your email, and I hope that this fixes the "documentation" bug! =)
Cheers,
>
> Wayne
>
> Wayne Dawson, Security Analyst
> Inventure Solutions Inc | A Vancity Company
> www.inventuresolutions.com
> 4th Fl - 183 Terminal Avenue, Vancouver, BC V6A 4G2
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
