subject:"\[W3af\-develop\] Authenticated scan support for x\-access\-token"

Re: [W3af-develop] Authenticated scan support for x-access-token

2015-08-05 Thread Andres Riancho

Jay,

Interesting subject, never came across JSON web tokens before.

AFAIK nobody is working on adding this feature to the framework,
but I would be happy if you give it a try. There seems to be a library
we can use to handle all the encoding stuff [0] and some notes on the
w3af-specifics:

* The plugins need to be 100% abstracted of the way requests
are encoded. Changes to JSON web tokens will only affect files in
w3af/core/
* One of the most important abstractions you'll have to
understand to add JWT to w3af is mutants [1]. Follow the code by
looking for all the usages of JSONMutant and it should be easy to
understand what they are.
* The other abstraction to be added for JWT is a container [2]

A couple of links that might help:
* 
https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
* https://github.com/andresriancho/w3af/wiki/Contributing-101

Feel free to ask me any questions via this mailing list, or use
the new issue I've just created [3]

[0] https://github.com/jpadilla/pyjwt/
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py
[2] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py
[3] https://github.com/andresriancho/w3af/issues/11875

On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong jay.xi...@verilume.com wrote:
 Hi,

 We are using JWT token after user name/password authentication for the
 subsequent http request. The JWT token returned as access-token and the
 subsequent request need to include x-aacess-token as part of request.
 Otherwise, the server under scan simply rejects http request with 401.

 Is this feature being developed or can someone point me to the code where I
 can customize myself.

 Thanks,

 Jay

 --

 ___
 W3af-develop mailing list
 W3af-develop@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-develop




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Re: [W3af-develop] Authenticated scan support for x-access-token

2015-08-05 Thread John Martinelli

I can help with this
On Aug 5, 2015 4:41 PM, Andres Riancho andres.rian...@gmail.com wrote:

 Jay,

 Interesting subject, never came across JSON web tokens before.

 AFAIK nobody is working on adding this feature to the framework,
 but I would be happy if you give it a try. There seems to be a library
 we can use to handle all the encoding stuff [0] and some notes on the
 w3af-specifics:

 * The plugins need to be 100% abstracted of the way requests
 are encoded. Changes to JSON web tokens will only affect files in
 w3af/core/
 * One of the most important abstractions you'll have to
 understand to add JWT to w3af is mutants [1]. Follow the code by
 looking for all the usages of JSONMutant and it should be easy to
 understand what they are.
 * The other abstraction to be added for JWT is a container [2]

 A couple of links that might help:
 *
 https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
 * https://github.com/andresriancho/w3af/wiki/Contributing-101

 Feel free to ask me any questions via this mailing list, or use
 the new issue I've just created [3]

 [0] https://github.com/jpadilla/pyjwt/
 [1]
 https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py
 [2]
 https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py
 [3] https://github.com/andresriancho/w3af/issues/11875

 On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong jay.xi...@verilume.com wrote:
  Hi,
 
  We are using JWT token after user name/password authentication for the
  subsequent http request. The JWT token returned as access-token and the
  subsequent request need to include x-aacess-token as part of request.
  Otherwise, the server under scan simply rejects http request with 401.
 
  Is this feature being developed or can someone point me to the code
 where I
  can customize myself.
 
  Thanks,
 
  Jay
 
 
 --
 
  ___
  W3af-develop mailing list
  W3af-develop@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/w3af-develop
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3


 --
 ___
 W3af-develop mailing list
 W3af-develop@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-develop

--
___
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Re: [W3af-develop] Authenticated scan support for x-access-token

Re: [W3af-develop] Authenticated scan support for x-access-token

2 matches

Site Navigation

Mail list logo

Footer information