Comments (4)
Yes that should be relatively simple enough to implement. I will try fit it in
for the next release.
The test that checks for potentially insecure direct object references looks
for file names, or paths, in the URL query string but does not actually go the
step further and manipulate them to test for RFI/LFI.
Original comment by [email protected]
on 21 May 2012 at 12:11
- Added labels: Type-Enhancement
- Removed labels: Type-Defect
from webvulscan.
Original comment by [email protected]
on 21 May 2012 at 12:12
- Changed state: Accepted
from webvulscan.
Using dynamic methods for this is far better than using someone elses shell.
See code.google.com/p/fimap for ideas.
Adding RFI/LFI to this would be excellent - I think a good compromise would be
to have it test for LFI/RFI on all parameters, while also using the rfilist.dat
file floating around (I will link when I find it) to check paths, just in case.
Loving the project though!
Original comment by [email protected]
on 9 Jun 2012 at 4:52
from webvulscan.
Great that you like the project! Yes I agree, I think the scanner should have
support for this vulnerability as it can be a high-risk one. I released another
version yesterday but, unfortunately, I only had a few days to spend on the
project and had a few issues to fix so I did not think I would fit this in. I
should definitely be able to fit it in for the next one though. Thanks for the
feedback and suggestions!
Original comment by [email protected]
on 10 Jun 2012 at 4:22
from webvulscan.
Related Issues (20)
- slow HOT 1
- Form Authentication HOT 2
- Suggestion - Suggested urls to get more information to reslove the issues HOT 1
- when i replace phpCrawl to 0.8 has some problem HOT 1
- Scan Pending start scans problems HOT 1
- PDF's are not being generated. HOT 7
- Add automated/configurable session management for tested apps (e.g support for JSESSIONID, PHPSESSID, aspsessionid.*, asp.net_sessionid, etc) HOT 2
- Add scanner info on tests left out of total tests being run HOT 2
- Install& config notes fail to mention extension php_mysqli.dll required in php.ini HOT 2
- Multiple SQLi vulnerabilities HOT 3
- Multiple XSS vulnerabilities HOT 3
- System Hang HOT 1
- System Hang HOT 1
- Problem with connection string HOT 7
- webvulscan register HOT 3
- when is the next version coming out in which existing issues have been solved? HOT 1
- Start Scan HOT 2
- help
- How it Works?
- Major run-time error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webvulscan.