Hello,
Taras, thanks for citing me, i feel proud:)
Now
back to serious business. When I wrote that email about mod_rewrite and
variations I was thinking at Acunetix also, because that is where I got
the idea from (and the term 'variation').
Now, I personally think that Andres is a little exagerating here, saying that
id=1.....100 could be of a certain type and id=1 would be of a different type,
like command execution.
I think this is very, very little probability for that, but i can understand
him, trying to make w3af perfectly.
If
however he would like to cover such a case, I would do something like
this. A manual discovery of the application by the pentester(yes,
manually browsing of the website i mean) and if the pentestes notices
something intersting, he could somehow change the behaviour of w3af,
telling it what liks to follow and what not to follow........Yes, I
know you're going to say that how can he follow 100 links....?.....But
it's still a probability that something will catch his eye......
Anyway in the 'default' way I would do it like Acunetix and probably add some
adjustments like the one above......
Thanks,
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
