I can help with this
On Aug 5, 2015 4:41 PM, Andres Riancho andres.rian...@gmail.com wrote:
Jay,
Interesting subject, never came across JSON web tokens before.
AFAIK nobody is working on adding this feature to the framework,
but I would be happy if you give it a try. There seems to be a library
we can use to handle all the encoding stuff [0] and some notes on the
w3af-specifics:
* The plugins need to be 100% abstracted of the way requests
are encoded. Changes to JSON web tokens will only affect files in
w3af/core/
* One of the most important abstractions you'll have to
understand to add JWT to w3af is mutants [1]. Follow the code by
looking for all the usages of JSONMutant and it should be easy to
understand what they are.
* The other abstraction to be added for JWT is a container [2]
A couple of links that might help:
*
https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
* https://github.com/andresriancho/w3af/wiki/Contributing-101
Feel free to ask me any questions via this mailing list, or use
the new issue I've just created [3]
[0] https://github.com/jpadilla/pyjwt/
[1]
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py
[2]
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py
[3] https://github.com/andresriancho/w3af/issues/11875
On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong jay.xi...@verilume.com wrote:
Hi,
We are using JWT token after user name/password authentication for the
subsequent http request. The JWT token returned as access-token and the
subsequent request need to include x-aacess-token as part of request.
Otherwise, the server under scan simply rejects http request with 401.
Is this feature being developed or can someone point me to the code
where I
can customize myself.
Thanks,
Jay
--
___
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
--
___
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
___
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop