Carlos,
Please read inline,
On Sat, Jun 25, 2011 at 12:59 PM, Carlos Pantelides
<[email protected]> wrote:
> Andres:
>
>> the objective is rather weak. What I would love to see
>> is this plugin not only identifying the existence of
>> wicket, but also something like the framework version,
>> a known vulnerability in the framework, or something
>> similar.
>
>> What do you think about that? Can it be
>> achieved?
>
> As far as I know, wicket could be crsfed, but is hard to do an even hardest
> to detect. The forums lightly state that it is not possible, but I did it to
> an
>application of another team. I do not know if it was a
>misconfiguration/bad_practice problem or it is related to wicket itself, as
>far as the other team
>neither evaluated nor fixed the issue yet. I will have to wait for their
>answer.
>
> Suppose it is an issue, How does the script report it? It is still a grep
> plugin, ain't?
If it's an issue, the script could detect it through a grep plugin,
yes. The thing is... what happens if we write the plugin that
identifies wicket and states it's vulnerable to CSRF, and then they
fix it in wicket version X + 1. Then, and because our plugin is only
able to identify wicket, it will report a false positive for all new
wicket installs. So, we either need to identify (wicket,
wicket_version) and declare it vulnerable based on that information,
or identify wicket and try to find CSRF tokens and if it's not there
then its vulnerable.
> Meanwhile, I am planning to write one to detect php's symfony framework
> presence and detect if a post form have csrf protection deactivated (it's
> activated by default, but sometimes it get in the way of inexpert
> programmers). I mention it to drive your answer to my questions.
I would love to have that check, it's actually what I was proposing
for wicket above, not only check for the framework, also check for the
token/version :)
>
> About "rather weak":
>
> What is w3af philosophy regarding to "true negatives" like detecting a target
> without known vulnerabilities? How can an user tell that from w3af not
> knowing anything about the target?
The philosophy is: be as precise as possible, with the less amount of
HTTP requests you can send.
> As an example, w3af detected that the application was running on top of
> apache tomcat version XXX (don't remember) from an error message and I
> have to browse ovsdb, nvd or something like these, I don't remember. It's ok
> with me. What is the difference from this case?
That's a good point, there is not much difference except from the
version number.
> Send me to w3af's documentation without hesitation if the answers are there,
> keep in mind that I am not lazy, just I have no time.
There is no doc about this, sorry.
> I have a very difficult exam next Monday, I won't see any mail until Tuesday,
> so answer me with no hurry! Please! You know, w3afing is more fun
> than studying!
Sorry, just got to this email today.
> Thank you
>
>
> Carlos Pantelides
>
> -----------------
>
> http://seguridad-agile.blogspot.com/
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
