Sasha, On Wed, Mar 18, 2009 at 5:21 AM, Alexander Berezhnoy <[email protected]> wrote: > Hi James, > > That's me who has written this plugin, so I will respond =) > > 2009/3/16 James Cole <[email protected]>: >> Hi >> >> I have been getting to grips with W3af for the last month and a great >> opportunity came about when a client I am currently working for asked me to >> test there web application. >> >> The client has their site on a shared (VPS) server and wanted to know if any >> credit card number could be gleaned from the site. I setup W3af on a hard >> drive install VMware image of Samurai (updated W3af via svn) and ran a high >> risk scan. >> >> >> >> The first problem I ran into was after an hour (or there about) the gui >> interface would blank out and the process was running at around 90%, I let >> the scan finish which it did but could not recover the gui interface from >> its blank screen. >> >> >> >> A quick side line here I saved my data to a txt output and an html output, >> the html output did not record any data and was just blank, is this the norm >> at the moment. >> >> >> >> The good news was that before the GUI failed I was able to recover 15 credit >> card numbers. I ran the scan again but with only the credit card number >> plugin and recovered 85 credit card numbers. >> >> >> >> Now my main question is how I manually verify the data I have collected is >> indeed from my client’s server. There is not a great deal of information on >> the plugin and I would like to understand the process a little better for my >> report for my client. >> > > The plugin detects those sequences of digits which pass the Luhn > check, that's all. You can open the "Results" tab and see the > responses which were reported as containing card numbers.
I just remembered this bug I found some days ago, could you please fix it? https://sourceforge.net/tracker2/?func=detail&aid=2675396&group_id=170274&atid=853652 The bug is that we are identifying a CC number when we have 11234CC3333, and we shouldn't. I mean... if we have a CC number, but at the end or the beginning it has numbers, it's not a CC number. > Andres, it seems a good idea to implement the highlighting of the > findings for the grep plugins, what do you think? The highlight feature is already implemented in the core, but only the mxInjection plugin uses it: d...@brick:~/w3af/w3af/trunk$ grep setToHighlight plugins/* -Rs plugins/audit/mxInjection.py: v.setToHighlight( mx_error ) d...@brick:~/w3af/w3af/trunk$ I implemented it in the core a couple of weeks ago, and I failed to do it in all the plugins, which is just adding a lot of "v.setToHighlight( error_string )" or "i.setToHighlight( error_string )" in the code. Any volunteers for this task? Cheers, > Sasha. > > /////// >> >> >> Thanks in advance for any help >> >> >> >> James >> > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
