Don't have the time to reproduce now, but I believe that you might be
hitting this bug:
https://github.com/andresriancho/w3af/issues/4391
Could you talk with foobarmonk to try to solve this?
On Tue, Sep 23, 2014 at 7:42 AM, Ali Khalfan ali.khal...@gmail.com wrote:
Hi Andres,
I've tried performing an authenticated web scan, but i noticed that the URLs
are being crawled.
I ran tcpdump to check, and discovered that the authentication is not taking
place at all.
This is my w3af script with the authentication test:
#
---
# W3AF AUDIT SCRIPT FOR WEB
APPLICATION
#
---
#Configure HTTP settings
http-settings
set timeout 30
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
plugins
#Configure entry point (CRAWLING) scanner
crawl web_spider
crawl config web_spider
set only_forward True
set ignore_regex (?i)(logout|disconnect|signout|exit)+
back
#Configure vulnerability scanners
##Specify list of AUDIT plugins type to use
#audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload,
ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli,
xpath, xss, xst
audit blind_sqli, cors_origin, csrf, eval, ldapi, lfi, response_splitting,
sqli, xpath, xss, xst
##Customize behavior of each audit plugin when needed
audit config file_upload
#set extensions
jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
set extensions jsp,php,php2,php3,php4,php5
back
##Specify list of GREP plugins type to use (grep plugin is a type of plugin
that can find also vulnerabilities or informations disclosure)
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp,
directory_indexing, dom_xss, error_500, error_pages,
html_comments, objects, path_disclosure, private_ip, strange_headers,
strange_http_codes, strange_parameters, strange_reason, url_session,
xss_protection_header
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin
is a type of plugin that can find informations disclosure)
infrastructure server_header, server_status, domain_dot, dot_net_errors
#Configure target authentication
auth detailed
auth config detailed
set username super
set password super
set method POST
set auth_url http://xyz.com/test-panel/index.php
set username_field user_id
set password_field pwd
set check_url http://xyz.com/test-panel/home.php
set check_string 'Logout'
set data_format username=%Upassword=%PLogin=Login
back
#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file /tmp/W3afReport.html
set verbose True
back
output config console
set verbose False
back
back
#Set target informations, do a cleanup and run the scan
target
set target http://xyz.com/test-panel/index.php
set target_os windows
set target_framework php
back
cleanup
start
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
