Re: [W3af-users] Parameter names that should never be fuzzed

Wed, 17 Feb 2010 06:55:36 -0800

Maybe session identifiers in URLs (usually when cookies are off)? For example:
- jsessionid
- phpsessid

Just my 2 cts...

El 17/02/10 13:28, Andres Riancho escribió: 
List,

    I'm trying to improve the framework's performance by setting up a
list of parameter names that should *never* be fuzzed. Most of the
parameters I have in the list are related to different implementations
of view state, which will never have a ""SQL Injection""
vulnerability. So... this is the list for now:

IGNORED_PARAMETERS = ['__EVENTTARGET', '__EVENTARGUMENT',
'__VIEWSTATE', '__VIEWSTATEENCRYPTED',
                                          '__EVENTVALIDATION',
'__dnnVariable', 'javax.faces.ViewState',
                                          'jsf_state_64',
'jsf_sequence', 'jsf_tree', 'jsf_tree_64',
                                          'jsf_viewid', 'jsf_state']

    Can somebody think about other parameter names that I should add
to the list? If so, please send them in response to this message with
a small explanation of what they came from.

    Thanks!

Cheers,

--
Firma Internos

Marcos Orallo Rodríguez
Laboratorio I+D
eConfianza / INTECO-CERT / Dirección de Programas
Instituto Nacional de Tecnologías de la Comunicación (INTECO)
Tel. +34 987 877 189 (Ext. 5019)
www.inteco.es

Este mensaje, incluyendo sus anexos, puede contener información clasificada como confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo.

Si usted no es el destinatario, le rogamos lo comunique al remitente y proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no autorizado está prohibido legalmente.

This message including any attachments may contain confidential information, within the framework of the corporate Security Management System.

If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law.

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to