search

andresriancho / w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.
http://w3af.org/
4.57k stars 1.22k forks source link

[Auto-Generated] Bug Report - hash_string = hash(body_str + uri_str) #299

Closed 1d3df9903ad closed 11 years ago

1d3df9903ad commented 11 years ago

User description

No user description was provided for this bug report given that it was related to handled exceptions in scan with id 764bec324a

Version Information

  Python version: 2.7.4 (default, Apr 19 2013, 18:28:01) [GCC 4.7.3]
  GTK version: 2.24.17
  PyGTK version: 2.24.0
  w3af version:
    w3af - Web Application Attack and Audit Framework
    Version: 1.5
    Revision: 07e89d63fe - 30 Apr 2013 13:57
    Author: Andres Riancho and the w3af team.

Traceback

An exception was found while running grep.strange_parameters on "http://domain/styles/images/tab-right-active.png | Method: GET". The exception was: "unsupported operand type(s) for +: 'NoneType' and 'str'" at parser_cache.py:get_document_parser_for():80.The full traceback is:
  File "/usr/local/w3af/core/controllers/core_helpers/consumers/grep.py", line 65, in run
    plugin.grep_wrapper(request, response)
  File "/usr/local/w3af/core/controllers/plugins/grep_plugin.py", line 65, in grep_wrapper
    self.grep(fuzzable_request, response)
  File "/usr/local/w3af/plugins/grep/strange_parameters.py", line 56, in grep
    dp = parser_cache.dpc.get_document_parser_for(response)
  File "/usr/local/w3af/core/data/parsers/parser_cache.py", line 80, in get_document_parser_for
    hash_string = hash(body_str + uri_str)

Enabled Plugins

{'attack': {},
 'audit': {u'blind_sqli': <OptionList: eq_limit>,
           u'buffer_overflow': <OptionList: >,
           u'cors_origin': <OptionList: origin_header_value>,
           u'csrf': <OptionList: >,
           u'dav': <OptionList: >,
           u'eval': <OptionList: use_time_delay|use_echo>,
           u'file_upload': <OptionList: extensions>,
           u'format_string': <OptionList: >,
           u'frontpage': <OptionList: >,
           u'generic': <OptionList: diff_ratio>,
           u'global_redirect': <OptionList: >,
           u'htaccess_methods': <OptionList: >,
           u'ldapi': <OptionList: >,
           u'lfi': <OptionList: >,
           u'mx_injection': <OptionList: >,
           u'os_commanding': <OptionList: >,
           u'phishing_vector': <OptionList: >,
           u'preg_replace': <OptionList: >,
           u'redos': <OptionList: >,
           u'response_splitting': <OptionList: >,
           u'rfi': <OptionList: listen_address|listen_port|use_w3af_site>,
           u'sqli': <OptionList: >,
           u'ssi': <OptionList: >,
           u'ssl_certificate': <OptionList: minExpireDays|caFileName>,
           u'un_ssl': <OptionList: >,
           u'xpath': <OptionList: >,
           u'xss': <OptionList: persistent_xss>,
           u'xst': <OptionList: >},
 'auth': {},
 'bruteforce': {u'basic_auth': <OptionList: usersFile|passwdFile|useSvnUsers|stopOnFirst|passEqUser|useLeetPasswd|useEmails|useProfiling|profilingNumber|comboFile|comboSeparator>,
                u'form_auth': <OptionList: usersFile|passwdFile|useSvnUsers|stopOnFirst|passEqUser|useLeetPasswd|useEmails|useProfiling|profilingNumber|comboFile|comboSeparator>},
 'crawl': {u'web_spider': <OptionList: only_forward|follow_regex|ignore_regex>},
 'evasion': {},
 'grep': {u'ajax': <OptionList: >,
          u'analyze_cookies': <OptionList: >,
          u'blank_body': <OptionList: >,
          u'cache_control': <OptionList: >,
          u'click_jacking': <OptionList: >,
          u'code_disclosure': <OptionList: >,
          u'credit_cards': <OptionList: >,
          u'cross_domain_js': <OptionList: >,
          u'directory_indexing': <OptionList: >,
          u'dom_xss': <OptionList: >,
          u'dot_net_event_validation': <OptionList: >,
          u'error_500': <OptionList: >,
          u'error_pages': <OptionList: >,
          u'feeds': <OptionList: >,
          u'file_upload': <OptionList: >,
          u'form_autocomplete': <OptionList: >,
          u'get_emails': <OptionList: only_target_domain>,
          u'hash_analysis': <OptionList: >,
          u'html_comments': <OptionList: >,
          u'http_auth_detect': <OptionList: >,
          u'http_in_body': <OptionList: >,
          u'lang': <OptionList: >,
          u'meta_tags': <OptionList: >,
          u'motw': <OptionList: >,
          u'objects': <OptionList: >,
          u'oracle': <OptionList: >,
          u'password_profiling': <OptionList: >,
          u'path_disclosure': <OptionList: >,
          u'private_ip': <OptionList: >,
          u'ssn': <OptionList: >,
          u'strange_headers': <OptionList: >,
          u'strange_http_codes': <OptionList: >,
          u'strange_parameters': <OptionList: >,
          u'strange_reason': <OptionList: >,
          u'svn_users': <OptionList: >,
          u'symfony': <OptionList: override>,
          u'url_session': <OptionList: >,
          u'user_defined_regex': <OptionList: single_regex|regex_file_path>,
          u'wsdl_greper': <OptionList: >,
          u'xss_protection_header': <OptionList: >},
 'infrastructure': {u'afd': <OptionList: >,
                    u'allowed_methods': <OptionList: execOneTime|reportDavOnly>,
                    u'detect_reverse_proxy': <OptionList: >,
                    u'detect_transparent_proxy': <OptionList: >,
                    u'dns_wildcard': <OptionList: >,
                    u'domain_dot': <OptionList: >,
                    u'favicon_identification': <OptionList: >,
                    u'find_jboss': <OptionList: >,
                    u'find_vhosts': <OptionList: >,
                    u'fingerprint_WAF': <OptionList: >,
                    u'fingerprint_os': <OptionList: >,
                    u'frontpage_version': <OptionList: >,
                    u'halberd': <OptionList: >,
                    u'hmap': <OptionList: genFpF>,
                    u'http_vs_https_dist': <OptionList: httpPort|httpsPort>,
                    u'php_eggs': <OptionList: >,
                    u'server_header': <OptionList: >,
                    u'server_status': <OptionList: >},
 'mangle': {},
 'output': {u'console': <OptionList: verbose>,
            u'text_file': <OptionList: verbose|output_file|http_output_file>}}
andresriancho commented 11 years ago 
>>> None + ''
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
>>> '' + None
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: cannot concatenate 'str' and 'NoneType' objects
>>>

So the body needs to be None. The thing is that I thought I fixed that in https://github.com/andresriancho/w3af/commit/a92546054cbadf4eec77909bd2a41952afa782c9#core/data/url/HTTPResponse.py .

Related with #250