Re: [W3af-develop] Cross-Site Scripting context detection engine rewrite
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Cross-Site Scripting context detection engine rewrite
|
From: Taras <ox...@ox...> - 2015-09-16 10:44:38
|
Owen, libxml-devel is already installed. Please, see rpm output below. В Ср, 16/09/2015 в 10:26 +0100, Owen Tuz пишет: > Try installing libxml-devel and re-run? Looks like pip is trying to > build but needs the header files, which are usually in the -devel > package. > Cheers, > Owen > On 16 Sep 2015 10:05 am, "Taras" <ox...@ox...> wrote: > > Hello! > > > > Trying to run it on Fedora 22 inside virtualenv and while > > installing > > all deps see such error: > > > > /tmp/pip-build-mBBs62/lxml/src/lxml/includes/etree_defs.h:14:31: > > fatal error: libxml/xmlversion.h: No such file or directory > > > > compilation terminated. > > > > error: command 'gcc' failed with exit status 1 > > > > $ rpm -q -a libxml* > > libxml-devel-1.8.17-34.fc22.x86_64 > > libxml-1.8.17-34.fc22.x86_64 > > libxml2-2.9.2-3.fc22.x86_64 > > libxml2-python-2.9.2-3.fc22.x86_64 > > libxml2-2.9.2-3.fc22.i686 > > libxml++-2.38.0-1.fc22.x86_64 > > > > Any ideas? > > > > В Чт, 10/09/2015 в 22:52 +0300, Taras пишет: > > > Andres, great job! :-) I will try to test it. > > > > > > В Чт, 10/09/2015 в 12:16 -0300, Andres Riancho пишет: > > > > List, > > > > > > > > I'm glad to announce that w3af can now detect 100% of the > > XSS > > > > vulnerabilities in WAVSEP! > > > > > > > > As part of the "Improve w3af's score for WAVSEP XSS by at > > least > > > > 20%" [0] task, I completely rewrote (twice) the context > > detection > > > > engine originally developed by Taras. The new engine has the > > > > following > > > > improvements: > > > > > > > > * Code is easier to read > > > > * Context detection false positive is reduced (But can > > still be > > > > improved by migrating from HTMLParser to lxml) > > > > * Added JavaScript sub-parser > > > > * Added CSS sub-parser > > > > > > > > I've also added new payloads to the XSS plugin which were > > > > required > > > > to "break out" of the new contexts we're identifying. > > > > > > > > These changes are part of the "develop" branch, just switch > > to > > > > the > > > > branch using "git checkout develop" and enjoy the new features > > (bug > > > > reports are always welcome!). > > > > > > > > For those who love to read code, you'll find most of the > > > > changes here [1] > > > > > > > > Enjoy! > > > > > > > > [0] https://github.com/andresriancho/w3af/issues/37 > > > > [1] > > https://github.com/andresriancho/w3af/tree/develop/w3af/core/da > > > > ta/context > > > > > > > > Regards, > > > ----------------------------------------------------------------- > > ---- > > > --------- > > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > > Get real-time metrics from all of your servers, apps and tools > > > in one place. > > > SourceForge users - Click here to start your Free Trial of > > Datadog > > > now! > > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > > _______________________________________________ > > > W3af-develop mailing list > > > W3a...@li... > > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > ------------------------------------------------------------------- > > ----------- > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog > > now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > |
