Hi, I've checked out the latest version from svn. That version sends the name/value pair of the submit button and finds the vulnerability. Although it reports the same vulnerability twice:
frank@darkstar:/tmp/w3af$ ./w3af_console w3af>>> target w3af/config:target>>> set target http://localhost/test/button.php w3af/config:target>>> back w3af>>> plugins w3af/plugins>>> audit xss w3af/plugins>>> back w3af>>> start Found 1 URLs and 2 different points of injection. The list of URLs is: - http://localhost/test/button.php The list of fuzzable requests is: - http://localhost/test/button.php | Method: GET - http://localhost/test/button.php | Method: POST | Parameters: (inp="") Cross Site Scripting was found at: "http://localhost/test/button.php";, using HTTP method POST. The sent post-data was: "inp=<SCrIPT>alert("YVn3")</SCrIPT>&sbm=submit". This vulnerability affects ALL browsers. This vulnerability was found in the request with id 17. Cross Site Scripting was found at: "http://localhost/test/button.php";, using HTTP method POST. The sent post-data was: "inp=<SCrIPT>alert("YVn3")</SCrIPT>&sbm=submit". This vulnerability affects ALL browsers. This vulnerability was found in the request with id 17. Scan finished in 0 seconds. Regards, Frank On 29-08-11 15:52, Javier Andalia wrote: > Hey Frank, > > Can you please update by performing a regular "svn update" and try > again? Seems that w3af's update procedure is failing for some reason. > > Thanks > > Javier > > > On 08/27/2011 09:23 AM, Frank van der Loo wrote: >> Hi, >> >> I have updated w3af to r4391, but the results are still the same: >> frank@darkstar:/tmp/w3af$ ./w3af_console >> w3af>>> target >> w3af/config:target>>> set target http://localhost/test/button.php >> w3af/config:target>>> back >> w3af>>> plugins >> w3af/plugins>>> audit xss >> w3af/plugins>>> back >> w3af>>> start >> Found 1 URLs and 2 different points of injection. >> The list of URLs is: >> - http://localhost/test/button.php >> The list of fuzzable requests is: >> - http://localhost/test/button.php | Method: GET >> - http://localhost/test/button.php | Method: POST | Parameters: (inp="") >> Scan finished in 0 seconds. >> w3af>>> version >> w3af - Web Application Attack and Audit Framework >> Version: 1.0-stable-4286 (from SVN server) >> Revision: 4391 >> Author: Andres Riancho and the w3af team. >> >> I have attached the log of the packet sniffer, that shows that the >> name/value pair of the submit-button is not sent here. >> >> Regards, >> Frank >> >> On 26-08-11 21:01, Javier Andalia wrote: >>> Hey Frank, >>> >>> Can you give it a try? We've just submitted the fix for this problem. >>> >>> Thanks, >>> >>> Javier >>> >>> >>> On 08/25/2011 09:05 PM, Andres Riancho wrote: >>>> Frank, >>>> >>>> Good you confirmed this. I found a bug! But it's not in the process of >>>> parsing/injecting/etc. It's in the way we print stuff to the console. >>>> I'll explain this to Javier tomorrow (it has something to do with the >>>> unicode change he did a couple of weeks ago). >>>> > ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
