Achim,
On Tue, May 19, 2009 at 3:51 PM, Achim Hoffmann <[email protected]> wrote:
>
> Hi Andres,
>
> as you write mails, you're no longer yetlagged ;-)
hehe, no, I arrived some days ago and I'm fully functional now =)
> According Dimitries question/suggestion:
> IIRC all attack signatures are hardcoded, that's difficult to maintain.
> If you give me a short introduction wher (which) file to find the attack
> sigbatures (and the code places where they are manipulated, if any),
> then I try to make a suggestion to handle all attack signatures in a
> simple way, better human readable, better maintenance, better overview, ...
>
> What do you think about that?
I think that having the payloads inside the same plugin, makes it more
readable. The user/developer/etc won't need to go to yet another file,
and see how those files are related in order to understand which
payloads are sent.
A simple example is here:
-----
def _get_echo_commands(self):
'''
@return: This method returns a list of commands to try to
execute in order
to print the content of a known file.
'''
commands = []
for special_char in self._special_chars:
# Unix
cmd_string = special_char + "/bin/cat /etc/passwd"
commands.append( command(cmd_string, 'unix', special_char))
# Windows
cmd_string = special_char + "type %SYSTEMROOT%\\win.ini"
commands.append( command(cmd_string, 'windows', special_char))
# Execution quotes
commands.append( command("`/bin/cat /etc/passwd`", 'unix', '`'))
# FoxPro uses run to run os commands. I found one of this vulns !!
commands.append( command("run type %SYSTEMROOT%\\win.ini",
'windows', 'run'))
# Now I filter the commands based on the targetOS:
targetOS = cf.cf.getData('targetOS').lower()
commands = [ c for c in commands if c.getOs() == targetOS or
targetOS == 'unknown']
return commands
-----
I think that it's easier to read the code, and not an XML file that
represents this information PLUS the python code to parse and filter
it.
On the other hand, I know of at least two tools that work with
external files to define the payloads: nikto and Grendel Scan. So it
seems that at some point the idea that you're proposing makes a lot of
sense. But for now I think that w3af is ok as it is.
What about everybody else? What do you think about this? Would it be
benefitial to write the payloads in different files?
Cheers,
> Cheers,
> Achim
>
> On Tue, 19 May 2009, Dimitri Paranoid wrote:
>
> !! Hi guys,
> !! I played with the w3af for the first time today. I'm specifically
> interested in the XSS scanning (crawling +
> !! fuzzing).
> !!
> !! It seems w3af does not catch the case when the site echoes the
> double-encoded Javascript.
> !! I added the following tests in xss.py, function _get_xss_tests :
> !!
> !! # D.S - url escaped injection string
> !!
> xss_tests.append(('%3CSCrIPT%3Ealert%28%22RANDOMIZE%22%29%3C/SCrIPT%3E',
> [browsers.ALL, ]))
> !!
> !! # D.S - double quoted injection string
> !!
> xss_tests.append(('%2522%253E%253Cscript%253Ealert%2528/RANDOMIZE/%2529%253C/script%253E',
> !! [browsers.ALL, ]))
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
> http://p.sf.net/sfu/businessobjects
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
