Carlos,
I love the way the plugin is written, and it perfectly achieves
its objectives; but (at least in my opinion) the objective is rather
weak. What I would love to see is this plugin not only identifying the
existence of wicket, but also something like the framework version, a
known vulnerability in the framework, or something similar.
What do you think about that? Can it be achieved?
Regards,
On Thu, Jun 23, 2011 at 2:28 PM, Carlos Pantelides
<[email protected]> wrote:
> Andres:
>
> A working plugin/grep/wicket attached, please give some feedback and feel
> free to add it to w3af if you like it.
>
>
> Carlos Pantelides
>
> -----------------
>
> http://seguridad-agile.blogspot.com/
>
>
> --- On Thu, 6/9/11, Andres Riancho <[email protected]> wrote:
>
>> From: Andres Riancho <[email protected]>
>> Subject: Re: [W3af-users] about wicket
>> To: "Carlos Pantelides" <[email protected]>
>> Cc: [email protected]
>> Date: Thursday, June 9, 2011, 3:44 PM
>> Carlos,
>>
>> On Thu, Jun 9, 2011 at 3:31 PM, Carlos Pantelides
>> <[email protected]>
>> wrote:
>> >>
>> >> You should see this change if you update to the
>> latest version.
>> >>
>> >
>> > Last version works fine.
>>
>> Great!
>>
>> > I added successfully a rule to pykto:
>> >
>> > [plugins/discovery/pykto/scan_database.db]
>> > "generic","/","wicket","GET","Wicket found."
>>
>> That rule is very generic, and would trigger
>> lots of false
>> positives in websites that don't USE wicket, but talk about
>> it.
>>
>> > but it shows as a vulnerability and I only want to
>> report it.
>> >
>> > Please give me a hint about how I can add a this kind
>> of check. A short paragraph.
>>
>> For playing around with the framework, the
>> best option you've got
>> is grep plugins. Just copy the "ajax.py" file in the same
>> directory
>> (under a new name) and change the regular expressions
>> and/or xpath
>> expressions that match against the HTTP responses. If you
>> find a
>> match, you can save an information object (info.info) to
>> the knowledge
>> base, send an email, run a command, etc. Anything that
>> python can do.
>>
>> > Keep in mind that later I could add a few more
>> frameworks detection rules or scripts. I do not have enough
>> spare time, so I can not go through all the w3af arq/dev
>> intro that surely exists.
>> >
>> > Thank you
>> >
>> > Carlos Pantelides
>> >
>> > -----------------
>> >
>> > http://seguridad-agile.blogspot.com/
>> >
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > EditLive Enterprise is the world's most technically
>> advanced content
>> > authoring tool. Experience the power of Track Changes,
>> Inline Image
>> > Editing and ensure content is compliant with
>> Accessibility Checking.
>> > http://p.sf.net/sfu/ephox-dev2dev
>> > _______________________________________________
>> > W3af-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense..
http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
