Re: [W3af-users] authentication not being performed
Don't have the time to reproduce now, but I believe that you might be hitting this bug: https://github.com/andresriancho/w3af/issues/4391 Could you talk with "foobarmonk" to try to solve this? On Tue, Sep 23, 2014 at 7:42 AM, Ali Khalfan wrote: > Hi Andres, > > I've tried performing an authenticated web scan, but i noticed that the URLs > are being crawled. > > I ran tcpdump to check, and discovered that the authentication is not taking > place at all. > > > > This is my w3af script with the authentication test: > > > # > --- > # W3AF AUDIT SCRIPT FOR WEB > APPLICATION > # > --- > #Configure HTTP settings > http-settings > set timeout 30 > back > #Configure scanner global behaviors > misc-settings > set max_discovery_time 20 > set fuzz_cookies True > set fuzz_form_files True > set fuzz_url_parts True > set fuzz_url_filenames True > back > plugins > #Configure entry point (CRAWLING) scanner > crawl web_spider > crawl config web_spider > set only_forward True > set ignore_regex (?i)(logout|disconnect|signout|exit)+ > back > #Configure vulnerability scanners > ##Specify list of AUDIT plugins type to use > #audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, > ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, > xpath, xss, xst > audit blind_sqli, cors_origin, csrf, eval, ldapi, lfi, response_splitting, > sqli, xpath, xss, xst > ##Customize behavior of each audit plugin when needed > audit config file_upload > #set extensions > jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe > set extensions jsp,php,php2,php3,php4,php5 > back > ##Specify list of GREP plugins type to use (grep plugin is a type of plugin > that can find also vulnerabilities or informations disclosure) > grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, > directory_indexing, dom_xss, error_500, error_pages, > html_comments, objects, path_disclosure, private_ip, strange_headers, > strange_http_codes, strange_parameters, strange_reason, url_session, > xss_protection_header > ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin > is a type of plugin that can find informations disclosure) > infrastructure server_header, server_status, domain_dot, dot_net_errors > #Configure target authentication > auth detailed > auth config detailed > set username super > set password super > set method POST > set auth_url http://xyz.com/test-panel/index.php > set username_field user_id > set password_field pwd > set check_url http://xyz.com/test-panel/home.php > set check_string 'Logout' > set data_format username=%U&password=%P&Login=Login > back > #Configure reporting in order to generate an HTML report > output console, html_file > output config html_file > set output_file /tmp/W3afReport.html > set verbose True > back > output config console > set verbose False > back > back > #Set target informations, do a cleanup and run the scan > target > set target http://xyz.com/test-panel/index.php > set target_os windows > set target_framework php > back > cleanup > start > > -- > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > ___ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
[W3af-users] authentication not being performed
Hi Andres, I've tried performing an authenticated web scan, but i noticed that the URLs are being crawled. I ran tcpdump to check, and discovered that the authentication is not taking place at all. This is my w3af script with the authentication test: # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward True set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use #audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst audit blind_sqli, cors_origin, csrf, eval, ldapi, lfi, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload #set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe set extensions jsp,php,php2,php3,php4,php5 back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors #Configure target authentication auth detailed auth config detailed set username super set password super set method POST set auth_url http://xyz.com/test-panel/index.php set username_field user_id set password_field pwd set check_url http://xyz.com/test-panel/home.php set check_string 'Logout' set data_format username=%U&password=%P&Login=Login back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/W3afReport.html set verbose True back output config console set verbose False back back #Set target informations, do a cleanup and run the scan target set target http://xyz.com/test-panel/index.php set target_os windows set target_framework php back cleanup start -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Force web_spider to crawl a directory only
thanks, it is clear and works On Mon, Sep 8, 2014 at 4:47 PM, Andres Riancho wrote: > Thanks for asking, I've added a new section to the docs to address this: > http://docs.w3af.org/en/develop/common-use-cases.html > > Please let me know if the docs are clear. > > On Sun, Sep 7, 2014 at 4:44 AM, Ali Khalfan wrote: > > Is there a way I can force the Web_spider plug-in to only check a > specific > > directory and not leave it. Example: if I want to scan > www.domain.com/dir1 I > > do not want leave the dir1 directory > > > > > > Ali > > -- > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > -- > > Slashdot TV. > > Video for Nerds. Stuff that matters. > > http://tv.slashdot.org/ > > ___ > > W3af-users mailing list > > W3af-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
