Re: [W3af-users] about wicket

Thu, 09 Jun 2011 11:47:30 -0700 

Carlos,

On Thu, Jun 9, 2011 at 3:31 PM, Carlos Pantelides
<[email protected]> wrote:
>>
>> You should see this change if you update to the latest version.
>>
>
> Last version works fine.

    Great!

> I added successfully a rule to pykto:
>
> [plugins/discovery/pykto/scan_database.db]
> "generic","/","wicket","GET","Wicket found."

    That rule is very generic, and would trigger lots of false
positives in websites that don't USE wicket, but talk about it.

> but it shows as a vulnerability and I only want to report it.
>
> Please give me a hint about how I can add a this kind of check. A short 
> paragraph.

    For playing around with the framework, the best option you've got
is grep plugins. Just copy the "ajax.py" file in the same directory
(under a new name) and change the regular expressions and/or xpath
expressions that match against the HTTP responses. If you find a
match, you can save an information object (info.info) to the knowledge
base, send an email, run a command, etc. Anything that python can do.

> Keep in mind that later I could add a few more frameworks detection rules or 
> scripts. I do not have enough spare time, so I can not go through all the 
> w3af arq/dev intro that surely exists.
>
> Thank you
>
> Carlos Pantelides
>
> -----------------
>
> http://seguridad-agile.blogspot.com/
>
>
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to