Marcos, On Wed, Feb 17, 2010 at 10:07 AM, Marcos Orallo Rodríguez < [email protected]> wrote:
> Maybe session identifiers in URLs (usually when cookies are off)? For
> example:
> - jsessionid
> - phpsessid
>
Sure! I'm adding those two to the list. Thanks!
> Just my 2 cts...
>
> El 17/02/10 13:28, Andres Riancho escribió:
>
> List,
>
> I'm trying to improve the framework's performance by setting up a
> list of parameter names that should *never* be fuzzed. Most of the
> parameters I have in the list are related to different implementations
> of view state, which will never have a ""SQL Injection""
> vulnerability. So... this is the list for now:
>
> IGNORED_PARAMETERS = ['__EVENTTARGET', '__EVENTARGUMENT',
> '__VIEWSTATE', '__VIEWSTATEENCRYPTED',
> '__EVENTVALIDATION',
> '__dnnVariable', 'javax.faces.ViewState',
> 'jsf_state_64',
> 'jsf_sequence', 'jsf_tree', 'jsf_tree_64',
> 'jsf_viewid', 'jsf_state']
>
> Can somebody think about other parameter names that I should add
> to the list? If so, please send them in response to this message with
> a small explanation of what they came from.
>
> Thanks!
>
> Cheers,
>
>
>
> --
> ------------------------------
>
> *Marcos Orallo Rodríguez*
> Laboratorio I+D
> eConfianza / INTECO-CERT / Dirección de Programas
> *Instituto Nacional de Tecnologías de la Comunicación (INTECO)*
> Tel. +34 987 877 189 (Ext. 5019)
> www.inteco.es
> ------------------------------
>
> Este mensaje, incluyendo sus anexos, puede contener información clasificada
> como confidencial dentro del marco del Sistema de Gestión de la Seguridad
> corporativo.
>
> Si usted no es el destinatario, le rogamos lo comunique al remitente y
> proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no
> autorizado está prohibido legalmente.
> ------------------------------
>
> This message including any attachments may contain confidential
> information, within the framework of the corporate Security Management
> System.
>
> If you are not the intended recipient, please notify the sender and delete
> this message without forwarding or retaining a copy, since any unauthorized
> use is strictly prohibited by law.
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
<<logo_cert.jpg>>
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
