[W3af-svn-notify] [Task #149932] audit.eval
Status: Beta
Brought to you by:
andresriancho
From: SourceForge.net <no...@so...> - 2008-11-04 00:22:53
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 80% Status: Open Authority : andresriancho Assigned to: oxdef Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2008-11-03 22:22 By: andresriancho Comment: One of the modifications that I've been trying to introduce into w3af is the idea of testing for a vulnerability using MORE THAN ONE TECHNIQUE. While I think that the current approach used in audit.eval is cool, and should still be used, I also think that the plugin should test for the response using the sleep() method of the corresponding language, and checking if the response time takes more than usual. An example of what I'm talking about is the audit.osCommanding plugin, which uses "echo" and "ping" to discover the same vulnerability. ------------------------------------------------------- Date: 2008-11-03 22:19 By: andresriancho Comment: Assigning to Taras. ------------------------------------------------------- Date: 2008-08-10 23:56 By: andresriancho Comment: Now it works with magic quotes enabled. ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |