Hi, I have updated w3af to r4391, but the results are still the same: frank@darkstar:/tmp/w3af$ ./w3af_console w3af>>> target w3af/config:target>>> set target http://localhost/test/button.php w3af/config:target>>> back w3af>>> plugins w3af/plugins>>> audit xss w3af/plugins>>> back w3af>>> start Found 1 URLs and 2 different points of injection. The list of URLs is: - http://localhost/test/button.php The list of fuzzable requests is: - http://localhost/test/button.php | Method: GET - http://localhost/test/button.php | Method: POST | Parameters: (inp="") Scan finished in 0 seconds. w3af>>> version w3af - Web Application Attack and Audit Framework Version: 1.0-stable-4286 (from SVN server) Revision: 4391 Author: Andres Riancho and the w3af team.
I have attached the log of the packet sniffer, that shows that the name/value pair of the submit-button is not sent here.
Regards, Frank On 26-08-11 21:01, Javier Andalia wrote:
Hey Frank, Can you give it a try? We've just submitted the fix for this problem. Thanks, Javier On 08/25/2011 09:05 PM, Andres Riancho wrote:Frank, Good you confirmed this. I found a bug! But it's not in the process of parsing/injecting/etc. It's in the way we print stuff to the console. I'll explain this to Javier tomorrow (it has something to do with the unicode change he did a couple of weeks ago).
xss2.pcap.tar.bz2
Description: Binary data
------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
