Re: [W3af-users] about wicket

Wed, 08 Jun 2011 12:29:30 -0700 

Carlos,

On Wed, Jun 8, 2011 at 11:18 AM, Carlos Pantelides
<[email protected]> wrote:
> Hello:
>
> Hope this is the correct list.

    It is the correct list :)

> When running w3af against a wicket, w3af detects a "strange parameter".
>
>
> The URI: 
> "https://www.DOMAIN.com/?wicket:bookmarkablePage=:com.DOMAIN.SUBDOMAIN.web.pages.SignInPage&wicket:interface=:0:signInForm::IFormSubmitListener::;
> jsessionid=7AC76A46A86BBC3F5253E374241BC892" has a parameter named: 
> "wicket:interface" with value: ":0:signInForm::IFormSubmitListener::", which 
> is quite odd. This information
> was found in the request with id 1.
>
> Yes, it's quite odd, but not for wicket. I don't have neither the time nor 
> the knowledge to offer a fix this false positive, I can only raise the 
> warning.

    Hmmmm, interesting! I just applied a fix for this false positive
in plugins/grep/strangeParameters.py :

'''
...
        if 'wicket:' in parameter:
            #
            #   The wicket framework uses, by default, strange URLs like this:
            #
https://www.DOMAIN.com/?wicket:bookmarkablePage=:com.DOMAIN.SUBDOMAIN.web.pages.SignInPage
            #
&wicket:interface=:0:signInForm::IFormSubmitListener::;jsessionid=7AC76A46A86BBC3F5253E374241BC892
            #
            #   Which are strange in all cases, except from wicket!
            #
            return False
'''

    You should see this change if you update to the latest version.

    Thanks for contributing! If you keep reporting things like this,
we'll keep fixing them until w3af works as expected for you and the
rest of the community :)

Regards,

>
> Carlos Pantelides
>
> -----------------
>
> http://seguridad-agile.blogspot.com/
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to