I believe some profiles also have been suspended for "suspicious" activities, not sure if having such errors/SQL injection code would trigger a flag with twitter?
-----Original Message----- From: Andres Riancho [mailto:[email protected]] Sent: Wednesday, February 10, 2010 10:07 AM To: Debelle, Stephan Cc: [email protected] Subject: Re: [W3af-users] Web application error contest Stephan, On Wed, Feb 10, 2010 at 11:49 AM, Debelle, Stephan <[email protected]> wrote: > Andres, > > That sounds like a good idea but wouldn't the char limitation prevent the > input of the full error? Good point... this might be a problem. I'll have to solve it in some way. In most cases users doing this won't notice the issue, since the longest error I have is "the used select statements have different number of columns" (59 chars) plus the hashtag and everything we get 87 chars: !!! len('#w3af_contest SQL_INJECTION the used select statements have different number of columns') 87 !!! len('the used select statements have different number of columns') 59 Another problem that a friend told offline is: "What if somebody sends something in a language that you don't understand, and claims that its a sql injection error?" . I'm not 100% sure about the solution... but... do you guys think that doing a Google search for the error string and analyzing the result would be enough? Cheers, > Stephan > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Andres > Riancho > Sent: Wednesday, February 10, 2010 7:51 AM > To: [email protected] > Subject: [W3af-users] Web application error contest > > List, > > I've been thinking about innovative ways to get my hands on more error > messages, and after some thinking I decided to let you guys know about my > idea with the objective of getting criticism and feedback: > > - As you guys know, many of the plugins depend on detecting error messages. > For example, the SQL injection detection simply sends d'z"0 to each > parameter, and if the response matches against the regular expression "You > have an error in your SQL syntax" then you have a SQL injection. > > - The power of most of those plugins resides in having a BIG and complete > database. > > - Collecting new database entries is difficult > > - The community should have an easy way to contribute > > - I thought about running a contest where players are going to send new error > messages using twitter. The format of the messages should be something like > "#w3af_error_contest SQL INJECTION <error_message_here>". I would create a > small script to read from twitter and keep track of who is winning (the guy > that sent more error messages). > > - In order to avoid cheating, if a user submits an error message that is > already in w3af or was submitted by another user: you get no points. > > - The winner gets some decent amount of money via paypal (200USD ?) > > If the contest is a success, it will also be good marketing for the w3af > project, as many users will be tweeting about w3af! What do you guys think? > Any new ideas, feedback? > > Cheers, > -- > Andrés Riancho > Founder, Bonsai - Information Security http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > ---------------------------------------------------------------------- > -------- SOLARIS 10 is the OS for Data Centers - provides features > such as DTrace, Predictive Self Healing and Award Winning ZFS. Get > Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
