Re: [W3af-users] symfony plugin

Tue, 19 Jul 2011 09:48:09 -0700 

Carlos,

On Tue, Jul 19, 2011 at 8:20 AM, Carlos Pantelides
<[email protected]> wrote:
> Hello:
>
> I've been working on a symfony !csrf protection plugin. I owe you the 
> testing, next month I'll have some spare time to make it. Meanwhile, I want to
> share it with you.

    Great! Thanks again for contributing.

> Symfony has csrf protection activated by default in the forms, but sometimes 
> the devs disable it either by need or ignorance. The plugin first detects
> that its symfony by means of a cookie. Then it scans every form and if it 
> does not find an input named *csrf*, reports it as a possible target.
>
> I'll appreciate any feedback.

    - From reading the plugin I understand that the symfony framework
will send a Set-Cookie in each HTTP response that contains a form. Is
that correct?
    - actions = form.xpath('//input[@id]') , I would call that inputs,
not actions.
    - def log(self, response, url, key,msg): is defined but never used?

Great job :) Where can I test this plugin?

>
> Carlos Pantelides
>
> -----------------
>
> http://seguridad-agile.blogspot.com/
> ------------------------------------------------------------------------------
> Magic Quadrant for Content-Aware Data Loss Prevention
> Research study explores the data loss prevention market. Includes in-depth
> analysis on the changes within the DLP market, and the criteria used to
> evaluate the strengths and weaknesses of these DLP solutions.
> http://www.accelacomm.com/jaw/sfnl/114/51385063/
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to