Hey Daniel That's a bug. It's because the export method of the fuzzable request does not correctly handle repeated parameter names.
In python a list is represented as [somevalue, anothervalue]. The brackets will be encoded as %5B and %5D. cheers floyd ________________________________ Von: Daniel Gaddis <[email protected]> An: Andres Riancho <[email protected]> CC: "[email protected]" <[email protected]> Gesendet: Mittwoch, den 26. Mai 2010, 17:11:21 Uhr Betreff: [W3af-users] misc-settings exportFuzzableRequests importResults plugin issue Why do requests get modified when written to the exportFuzzableRequests file? For example the following original request... http://www.test.senate.state.tx.us/avarchive/ramav.php?ram=00003740 ...gets written to the exportFuzzableRequests file as: http://www.test.senate.state.tx.us/avarchive/ramav.php?ram=%5B%2700003740%27%5D While that may not appear to be too big of a deal the real issue comes into play when using that exportFuzzableRequests file as the discovery for a subsequent audit. The original throws a sql injection issue. The latter does not. As a work around I can do a search and replace for the %5B%27 and %27%5D strings in the exportFuzzableRequests file to revert back to what the original was, but is there a w3af config. setting so that the requests written to the exportFuzzableRequests file remain exactly like the original without the added encoded characters? I am running w3af-1.0-rc3 (version 1.1 revision 3460) on windows. Thanks, Daniel
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
