Hi guys, Yesterday, while "playing" with w3af I saw something (detailed below) with the "allowed methods" plugin related to checking if the the http CONNECT method is available in a server or not and I'd like to know if you think it could be a bug or not.
In the case you think it is a bug, I'd be very happy if I can fix it and, if possible, would like some advice or guidelines on what next steps you think I should do for implement the fix. The problem is that I'm not a python guru like you at all, currently I just know some python for my day to day stuff. And if it is not a bug, I'd like as well to contribute. So guidelines, advice, etc on how to do it is welcome :) Here is what I did: 1. git pull the last w3af version. 2. setup an apache server as a forward proxy Setup an apache web server that has enabled the CONNECT method for proxying clients (forward proxy not reverse proxy) so them can navigate setting the apache box as their proxy (the only client I´m testing now is on the same host hence Allow from 127.0.0.1). This is the relevant apache config I have (apart of the enabled mod_proxy modules, etc): <VirtualHost *:80> ProxyRequests On ProxyVia On AllowCONNECT 80 443 563 </VirtualHost> <Proxy *> Order deny,allow Deny from all Allow from 127.0.0.1 </Proxy> 3. Manually check CONNECT method is working (look at the format on the CONNECT line): bla@ubuntu:~$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. CONNECT google.com:80 HTTP/1.1 HOST: google.com HTTP/1.0 200 Connection Established <--- it worked Proxy-agent: Apache/2.4.7 (Ubuntu) blablablabla HTTP/1.0 400 Bad Request <---- this is normal because blablabla is a bad request Content-Type: text/html; charset=UTF-8 Content-Length: 1419 Date: Mon, 04 Aug 2014 18:13:32 GMT Server: GFE/2.0 <snip> 4. Setup a w3af profile for checking CONNECT method I setup a profile enabling only "allowed methods" plugin and this is what I see as the output of that plugin: """ The URL "http://localhost/" has the following enabled HTTP methods: CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This information was found in the requests with ids 32, 39, 47, 52, 55 and 71. """ Note that, apart of all the methods but CONNECT been duplicated, what I see when going into request/response navigator for the CONNECT request (which is the one with id 55) is (look on the CONNECT line format): Request: CONNECT http://localhost/ HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org Response: HTTP/1.1 400 Bad Request date: Mon, 04 Aug 2014 16:57:55 GMT content-length: 300 content-type: text/html; charset=iso-8859-1 connection: close server: Apache/2.4.7 (Ubuntu) But, if I run again the same w3af profile and look with wireshark what I see "on the wire" (look here as well in the CONNECT line) is: Request: CONNECT / HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org Response: HTTP/1.1 400 Bad Request Date: Mon, 04 Aug 2014 17:06:57 GMT Server: Apache/2.4.7 (Ubuntu) Content-Length: 300 Connection: close Content-Type: text/html; charset=iso-8859-1 So in summary: (A) Manual request (which works): CONNECT google.com:80 HTTP/1.1 (B) w3af Request/Response navigator reported request: CONNECT http://localhost/ HTTP/1.1 (C) w3af on the wire request: CONNECT / HTTP/1.1 I think that according to the RFC it looks like a valid request should have just a hostname, a colon and a port, like (A) and not like (B) neither (C): http://tools.ietf.org/html/rfc7231#section-4.3.6 Do you think this could be a bug or issue on how w3af generates a CONNECT request ? Also, how about the duplicates in the plugin output (I mean method names appearing here twice on all but CONNECT): "The URL "http://localhost/" has the following enabled HTTP methods: CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This information was found in the requests with ids 32, 39, 47, 52, 55 and 71." 5. Digging a bit I went through the code trying to read it, and I think the connect request is generated in: w3af.core.data.url.extended_urllib.AnyMethod But I'm not sure on where you think it could be a good place to fix it and how (of course in the case you thinking there´s a bug). Regards ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop