List,
Just wanted to comment something really wierd that appeared today
in a w3af bug report that was sent after a crash. The last lines of
the traceback read:
"""
File "/pentest/web/w3af/core/data/dc/form.py", line 316, in _getSamplePaths
for path in rand.sample(xrange(variants_total),
OverflowError: long int too large to convert to int
"""
After some google searches I found out that Python's xrange()
function has a bug when you call it with EXTRA LONG numbers:
"""
>>> xrange(10)
xrange(10)
>>> xrange(10**15)
xrange(1000000000000000)
>>> xrange(10**25)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: long int too large to convert to int
"""
If we put that into context, it means that w3af was scanning a
website that has at least 1000000000000000000 variants. For those who
haven't been reading the code, a form variant is a way of filling a
form. For example, the following form has 1 variant:
"""
<form>
<input type="text" name="foo"></input>
</form>
"""
This form has 3 variants:
"""
<form>
<input type="text" name="foo"></input>
<select>
<option value="volvo">Volvo</option>
<option value="mercedes">Mercedes</option>
<option value="audi">Audi</option>
</select>
</form>
"""
And this form has 12:
"""
<form>
<input type="text" name="foo"></input>
<select>
<option value="volvo">Volvo</option>
<option value="mercedes">Mercedes</option>
<option value="audi">Audi</option>
</select>
<select>
<option value="blue">blue</option>
<option value="red">red</option>
<option value="black">black</option>
<option value="green">green</option>
</select>
</form>
"""
So... now you should understand why I'm impressed about this web
application that has the IMPRESSIVE number of 1000000000000000000
variants !
The other option, of course, is for w3af to have a bug in that
piece of code... but I don't seem to be able to identify it in a
couple of minutes. (also, I would rather believe about a monster web
application that's here to take over control of the world).
What do you guys think? Amazing reality of simply a bug?
Regards,
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world?
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
