Re: [W3af-users] Didn't get it right letting W3AF ignore some URLs by confuring ignore_regex

2015-06-01 Thread Andres Riancho 
Christian,

On Mon, Jun 1, 2015 at 6:33 AM,  spass-bill...@gmx.de wrote:
 Hello,

 I didn't get it right to ignore some URLs during evaluation of a target 
 webapp.
 Let's say the target URL should be

 http://test.host/foo/bar/index.html

 On this entry site there are two links (among others) which should NOT be 
 considered for further investigation by W3AF:

 http://test.host/foo/search/
 http://test.host/print.html

 I didn't get it right yet trying for instance:

 set ignore_regex .*(search|print\.html)$

 or (to get rid of at least the first link)

 set ignore_regex .*search.*

 or even (trying to match the second URL to ignore)

 set ignore_regex .*print\.html$

 But W3AF always comes up with timeouts regarding both of the two URLs (the 
 target webapp is running in a special test environment where the mentioned 
 links are not backed by a responding application); it also lists the links in 
 the report's section URLs found during application scan.

 What am I doing wrong here? I've tested the regular expressions for 
 compatibility issues regarding PERL's syntax etc. here:

 http://www.pythonregex.com/

 Thank you for any kind of help.

The regular expressions look good. Some ideas about what might be going on:

 * These regular expressions only apply to the web spider [0]. If you
have other plugins enabled and those plugins find the URLs then they
will be crawled. If I don't remember incorrectly there is a
framework-wide setting called non-target to avoid visiting a URL with
ANY plugin

 * You might add some print statements around these lines [1] to
understand what's going on

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py#L283-L287

Regards,

 Christian



 --
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Didn't get it right letting W3AF ignore some URLs by confuring ignore_regex

2015-06-01 Thread spass-billard 
Hello,
 
I didn't get it right to ignore some URLs during evaluation of a target webapp.
Let's say the target URL should be

    http://test.host/foo/bar/index.html
 
On this entry site there are two links (among others) which should NOT be 
considered for further investigation by W3AF:

    http://test.host/foo/search/
    http://test.host/print.html
 
I didn't get it right yet trying for instance:

    set ignore_regex .*(search|print\.html)$

or (to get rid of at least the first link)

    set ignore_regex .*search.*

or even (trying to match the second URL to ignore)

    set ignore_regex .*print\.html$
 
But W3AF always comes up with timeouts regarding both of the two URLs (the 
target webapp is running in a special test environment where the mentioned 
links are not backed by a responding application); it also lists the links in 
the report's section URLs found during application scan.
 
What am I doing wrong here? I've tested the regular expressions for 
compatibility issues regarding PERL's syntax etc. here:

    http://www.pythonregex.com/
 
Thank you for any kind of help.
 
Christian
 
 

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users