Ben, On Tue, Jul 8, 2014 at 11:10 AM, Ben Kirk <[email protected]> wrote: > Hi, > OK I understand the 404 issue now, that makes sense.
Cool, >As for a pull request, > sorry for a newbie question, are you talking about me making the change and > submitting a PR to you? Is this via a fork or a branch? I use git at work > but haven't done a PR with a shared github project before. I pulled latest > and created a branch with the change but I can't push the change, I get > error: The requested URL returned error: 403 Forbidden while accessing > https://github.com/andresriancho/w3af.git/info/refs?service=git-receive-pack > fatal: HTTP request failed > I couldn't find any documentation on the site about exactly which process > you'd like. Do I need to be added as a contributing dev? The suggested > change is: > > elif response.get_code() > 300\ > and response.get_code() < 310: > return Short answer: fork and then send a pull request. Long answer: https://github.com/andresriancho/w3af/wiki/Contributing-101 > > > On Tue, Jul 8, 2014 at 6:10 AM, Andres Riancho <[email protected]> > wrote: >> >> Ben, >> >> Please read inline, >> >> On Mon, Jul 7, 2014 at 7:15 PM, Ben Kirk <[email protected]> wrote: >> > hi all, >> > I may be misreading my scan output results, but I get the following and >> > when >> > I check all of these specific IDs they are for redirects like 302 or a >> > 404. >> > Should this even be reported for HTTP responses that are not really >> > content >> > for the user (like a normal 200 with HTML content) >> > >> > Is this something that can be filtered out? asking because I need to >> > report >> > these in our monthly deployments to production to our security team and >> > I >> > don't want to raise any unnecessary flags. I'm using the latest build in >> > git >> > as of today. >> > >> > However if these are truly issues I should fix I'm open to that. >> > >> > thanks for any discussion on this. >> > >> > [Mon Jul 7 22:06:42 2014 - vulnerability] The whole target web >> > application >> > has no protection (Pragma and Cache-Control headers) against sensitive >> > content caching. This vulnerability was found in the requests with ids >> > 16, >> > 36, 42 to 43 and 50. >> >> Well, you raise an interesting point. I agree that it doesn't make >> sense for these to be checked against 30x. I would be more than happy >> to receive a pull-request which adds a check around here [0] for the >> 30x codes. Actually, believe it or not, that if in [0] was intended to >> match that situation, but it wasn't a complete solution since some 30x >> do have response bodies. >> >> RE: 404 codes, I believe that cache_control.py can't simply say: "we >> don't care about them". Some 404 pages do have some private >> information (at least the email address of the user?) >> >> Does this make sense? Do you have the time to send me that small PR? >> >> [0] >> https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/cache_control.py#L58 >> >> > >> > ------------------------------------------------------------------------------ >> > Open source business process management suite built on Java and Eclipse >> > Turn processes into business applications with Bonita BPM Community >> > Edition >> > Quickly connect people, data, and systems into organized workflows >> > Winner of BOSSIE, CODIE, OW2 and Gartner awards >> > http://p.sf.net/sfu/Bonitasoft >> > _______________________________________________ >> > W3af-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
