James, On Wed, Mar 18, 2009 at 10:40 AM, James Cole <[email protected]> wrote: > Hi All > > Thank you for the excellent response. > > I have spoken to my client and his ISP and indeed after pulling down 85 card > numbers, I was told that there where only a few card numbers on my clienst > site and no card numbers on any other vhosts on the same server platform. So > I can asume that the plugin has reported false postivies.
Ok > As for checking and verifing the data I was unbale to open the > output-http.txt as it just crashes, it is 600Mb so I will run the test again > over a short period so I can verifiy the data. > > I could open the output.txt file and also discovered the following error, > hopfully this will be helpful to you. > > [ Thu 12 Mar 2009 10:07:39 AM GMT - error - threadManager ] Error in grep > plugin, "passwordProfiling" raised the exception: 'queryString' object has > no attribute 'split'. Please report this bug to the w3af sourceforge project > page [ http://sourceforge.net/tracker/?func=add&group_id=170274&atid=853652 > ] > Exception: Traceback (most recent call last): > File "/usr/bin/samurai/w3af/core/data/url/xUrllib.py", line 697, in > _grepWorker > grepPlugin.grep_wrapper( request, response) > AttributeError: 'queryString' object has no attribute 'split' > > [ Thu 12 Mar 2009 10:07:39 AM GMT - error - threadManager ] Traceback (most > recent call last): > File "/usr/bin/samurai/w3af/core/data/url/xUrllib.py", line 697, in > _grepWorker > grepPlugin.grep_wrapper( request, response) > File > "/usr/bin/samurai/w3af/core/controllers/basePlugin/baseGrepPlugin.py", line > 60, in grep_wrapper > self.grep( fuzzableRequest, response ) > File "/usr/bin/samurai/w3af/plugins/grep/passwordProfiling.py", line 96, > in grep > and not self._wasSent( request, d ) and len(d) > 3 \ > File > "/usr/bin/samurai/w3af/core/controllers/basePlugin/baseGrepPlugin.py", line > 80, in _wasSent > sentData = urllib.unquote( sentData ) > File "/usr/lib/python2.5/urllib.py", line 1153, in unquote > res = s.split('%') > AttributeError: 'queryString' object has no attribute 'split' Just fixed it in the trunk! =) > Thanks again > James > > > 2009/3/18 Andres Riancho <[email protected]> >> >> Sasha, >> >> On Wed, Mar 18, 2009 at 5:21 AM, Alexander Berezhnoy >> <[email protected]> wrote: >> > Hi James, >> > >> > That's me who has written this plugin, so I will respond =) >> > >> > 2009/3/16 James Cole <[email protected]>: >> >> Hi >> >> >> >> I have been getting to grips with W3af for the last month and a great >> >> opportunity came about when a client I am currently working for asked >> >> me to >> >> test there web application. >> >> >> >> The client has their site on a shared (VPS) server and wanted to know >> >> if any >> >> credit card number could be gleaned from the site. I setup W3af on a >> >> hard >> >> drive install VMware image of Samurai (updated W3af via svn) and ran a >> >> high >> >> risk scan. >> >> >> >> >> >> >> >> The first problem I ran into was after an hour (or there about) the gui >> >> interface would blank out and the process was running at around 90%, I >> >> let >> >> the scan finish which it did but could not recover the gui interface >> >> from >> >> its blank screen. >> >> >> >> >> >> >> >> A quick side line here I saved my data to a txt output and an html >> >> output, >> >> the html output did not record any data and was just blank, is this the >> >> norm >> >> at the moment. >> >> >> >> >> >> >> >> The good news was that before the GUI failed I was able to recover 15 >> >> credit >> >> card numbers. I ran the scan again but with only the credit card number >> >> plugin and recovered 85 credit card numbers. >> >> >> >> >> >> >> >> Now my main question is how I manually verify the data I have collected >> >> is >> >> indeed from my client’s server. There is not a great deal of >> >> information on >> >> the plugin and I would like to understand the process a little better >> >> for my >> >> report for my client. >> >> >> > >> > The plugin detects those sequences of digits which pass the Luhn >> > check, that's all. You can open the "Results" tab and see the >> > responses which were reported as containing card numbers. >> >> I just remembered this bug I found some days ago, could you please fix it? >> >> >> https://sourceforge.net/tracker2/?func=detail&aid=2675396&group_id=170274&atid=853652 >> >> The bug is that we are identifying a CC number when we have >> 11234CC3333, and we shouldn't. I mean... if we have a CC number, but >> at the end or the beginning it has numbers, it's not a CC number. >> >> > Andres, it seems a good idea to implement the highlighting of the >> > findings for the grep plugins, what do you think? >> >> The highlight feature is already implemented in the core, but only the >> mxInjection plugin uses it: >> >> d...@brick:~/w3af/w3af/trunk$ grep setToHighlight plugins/* -Rs >> plugins/audit/mxInjection.py: v.setToHighlight( mx_error ) >> d...@brick:~/w3af/w3af/trunk$ >> >> I implemented it in the core a couple of weeks ago, and I failed to do >> it in all the plugins, which is just adding a lot of >> "v.setToHighlight( error_string )" or "i.setToHighlight( error_string >> )" in the code. >> >> Any volunteers for this task? >> >> Cheers, >> >> > Sasha. >> > >> > /////// >> >> >> >> >> >> Thanks in advance for any help >> >> >> >> >> >> >> >> James >> >> >> > >> >> >> >> -- >> Andrés Riancho >> http://www.bonsai-sec.com/ >> http://w3af.sourceforge.net/ > > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
