hhucn / webvulnscan

automated web application vulnerability scanner
MIT License
38 stars 27 forks source link

Unicode character handling is broken in broken_unicode_characters attack #35

Closed phihag closed 11 years ago

phihag commented 11 years ago

With python 2.7, running it on vulnsrv gives:

$ python -m webvulnscan http://localhost:8666/   --broken_unicode_characters
Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/home/phihag/projects/webvulnscan/webvulnscan/__main__.py", line 18, in <module>
    webvulnscan.main()
  File "webvulnscan/__init__.py", line 232, in main
    messages = run(options, arguments)
  File "webvulnscan/__init__.py", line 98, in run
    drive_all(page, attacks, client)
  File "webvulnscan/attacks/__init__.py", line 20, in drive_all
    attack(page, client)
  File "webvulnscan/attacks/broken_unicode_characters.py", line 33, in broken_unicode_characters
    try_on_form(client, form, symbol)
  File "webvulnscan/attacks/broken_unicode_characters.py", line 11, in try_on_form
    result = form.send(client, attack_parameters)
  File "webvulnscan/form.py", line 42, in send
    return client.download_page(self.action, parameters)
  File "webvulnscan/client.py", line 86, in download_page
    status_code, html, headers = self.download(url, parameters)
  File "webvulnscan/client.py", line 48, in download
    data = urlencode(parameters).encode("utf-8")
  File "/usr/lib/python2.7/urllib.py", line 1329, in urlencode
    v = quote_plus(str(v))
UnicodeEncodeError: 'ascii' codec can't encode character u'\uffff' in position 0: ordinal not in range(128)

It works fine on Python 3.

rliebig commented 11 years ago

Fixed via https://github.com/hhucn/webvulnscan/commit/441419e3068e62eb5d6f7056099e7908870b7ed8