Stephan,
On Wed, Feb 10, 2010 at 11:49 AM, Debelle, Stephan
<[email protected]> wrote:
> Andres,
>
> That sounds like a good idea but wouldn't the char limitation prevent the
> input of the full error?
Good point... this might be a problem. I'll have to solve it in
some way. In most cases users doing this won't notice the issue, since
the longest error I have is "the used select statements have different
number of columns" (59 chars) plus the hashtag and everything we get
87 chars:
!!! len('#w3af_contest SQL_INJECTION the used select statements have
different number of columns')
87
!!! len('the used select statements have different number of columns')
59
Another problem that a friend told offline is: "What if somebody
sends something in a language that you don't understand, and claims
that its a sql injection error?" . I'm not 100% sure about the
solution... but... do you guys think that doing a Google search for
the error string and analyzing the result would be enough?
Cheers,
> Stephan
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Andres Riancho
> Sent: Wednesday, February 10, 2010 7:51 AM
> To: [email protected]
> Subject: [W3af-users] Web application error contest
>
> List,
>
> I've been thinking about innovative ways to get my hands on more error
> messages, and after some thinking I decided to let you guys know about my
> idea with the objective of getting criticism and feedback:
>
> - As you guys know, many of the plugins depend on detecting error messages.
> For example, the SQL injection detection simply sends d'z"0 to each
> parameter, and if the response matches against the regular expression "You
> have an error in your SQL syntax" then you have a SQL injection.
>
> - The power of most of those plugins resides in having a BIG and complete
> database.
>
> - Collecting new database entries is difficult
>
> - The community should have an easy way to contribute
>
> - I thought about running a contest where players are going to send new error
> messages using twitter. The format of the messages should be something like
> "#w3af_error_contest SQL INJECTION <error_message_here>". I would create a
> small script to read from twitter and keep track of who is winning (the guy
> that sent more error messages).
>
> - In order to avoid cheating, if a user submits an error message that is
> already in w3af or was submitted by another user: you get no points.
>
> - The winner gets some decent amount of money via paypal (200USD ?)
>
> If the contest is a success, it will also be good marketing for the w3af
> project, as many users will be tweeting about w3af! What do you guys think?
> Any new ideas, feedback?
>
> Cheers,
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
