[W3af-svn-notify] [Task #148674] encode decode window
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
[W3af-svn-notify] [Task #148674] encode decode window
|
From: SourceForge.net <no...@so...> - 2008-06-02 02:30:45
|
Task #148674 has been updated. Project: w3af Subproject: gtkUi - OWASP SoC 2008 Summary: encode decode window Complete: 100% Status: Open Authority : andresriancho Assigned to: facundobatista Description: Sorry for adding more things to a window that was already finished, but I found some other encodings that we should provide to the users. Please download wfuzz from http://www.edge-security.com/wfuzz.php and see the file encoders.py . Some of them are already implemented, but some aren't. Follow-Ups: ------------------------------------------------------- Date: 2008-06-01 23:30 By: andresriancho Comment: I'm feeling free to reopen this task ;) Please do it with a combo-box. Thanks! ------------------------------------------------------- Date: 2008-05-31 20:02 By: facundobatista Comment: A note regarding the UTF-8 Encoding... the paper has UTF-8 wrong. For example, it claims that "%C1%81" is the character "A", but that is not valid UTF-8 (see, for example, the RFC 3629 (http://tools.ietf.org/html/rfc3629) that claims that in a UTF-8 the octet values C0, C1, F5 to FF never appear). ------------------------------------------------------- Date: 2008-05-31 20:00 By: facundobatista Comment: Done! Feel free to reopen this task if you want to transform all the buttons in a combobox (right now is pretty ugly). ------------------------------------------------------- Date: 2008-05-22 16:37 By: andresriancho Comment: Two more (encoder only): - encoder_mysqlchar - encoder_mssqlchar These two encoders are useful for SQL injections, and return the encoded string surrounded by a CHAR() function: MYSQL ===== def encode(self,string): new="CHAR(" for x in string: val=str(ord(x)) new+=str(val)+"," new=new.strip(",") new+=")" return new MSSQL ===== def encode(self,string): new="" for x in string: val=str(ord(x)) new+="CHAR("+str(val)+")+" new=new.strip("+") return new ------------------------------------------------------- Date: 2008-05-22 16:29 By: andresriancho Comment: The encoders to add are: - Double urlencode (apply urlencode twice) [must have decode] - Random upper (change random chars of the string to upper case) - Random lower (change random chars of the string to lower case) - Hex Encoding as specified in the pdf linked here [0] [must have decode] - Double Percent Hex Encoding as specified in the pdf linked here [0] - Double Nibble Hex Encoding as specified in the pdf linked here [0] - First Nibble Hex Encoding as specified in the pdf linked here [0] - Second Nibble Hex Encoding as specified in the pdf linked here [0] - UTF-8 Encoding as specified in the pdf linked here [0] - UTF-8 Bare Byte Encoding as specified in the pdf linked here [0] - Microsoft %U Encoding as specified in the pdf linked here [0] A lot of these encoders are already coded in the wfuzz project that I specified before. [0] docs.idsresearch.org/http_ids_evasions.pdf ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=148674&group_id=170274&group_project_id=56282 |
