List, The plugins implement some things such as sending raw payloads (w3af will never send %80 or an ASCII control character without url encoding). Additional it can change parameter names (see example below).
I think it should be possible to have such features in the core in the future. But that simply needs some time (we have enough other work to do right now). What I miss most right now is that as a plugin developer I can not 100% control my payloads [1]. Of course you are interested what my plugins found so far. One of the best things is that it is able to change a parameter name. Eg. http://example.com/a.php?id=1 gets http://example.com/a.php?id[0]=1 In my tested applications, PHP and Java (Struts) will then interprete the parameter "id" as an array instead of a string. This often produces PHP errors/Java stack traces. Another thing was simply sending %80%81%82...%EF%FF. A standard PHP/MySQL often returns an error message [2] then. To add an "optional / advanced" plugin type is a nice idea. The wiki thing is a good idea as well. List, it would be interesting to hear what you think. cheers floyd [1] http://sourceforge.net/apps/trac/w3af/ticket/160127 [2] <h1>ERROR - database error.</h1> <p>Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='</p> <p> SELECT id, name, mail, password, rank, activate FROM users WHERE name = ... ----- http://www.floyd.ch ----- Ursprüngliche Mail ---- Von: Andres Riancho <[email protected]> An: [email protected] CC: Floyd Fuh <[email protected]> Gesendet: Montag, den 18. Oktober 2010, 18:36:57 Uhr Betreff: [W3af-users] Optional plugins List, With Floyd developing some plugins that are really cool [0] but might not be ready for the whole community to use regularly, I thought that it might be a good idea to have a page inside the wiki where advanced users could upload their "optional plugins" and users could comment on them, add their experiences, read how the original developer uses it, etc. What do you guys think? Is the wiki the place to do this? Should we add an "optional / advanced" plugin type? [0] https://sourceforge.net/apps/trac/w3af/ticket/160094 Regards, -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
