date:20180425

Re: [W3af-users] Authenticated spider issues and questions

2018-04-25 Thread Volker Schmid


Hi,

thanks for the quick response.


Maybe the web_spider is following the logout link, which is
invalidating the session?

You should ignore logout urls when doing auth scans


I already did by using ignore_regex: "(phpLogout\.php|phpNewPassword\.php)"

By this I hope he does not call any URL with these two scripts inside. Both 
would be bad for the scan.


Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?


I changed the target to be phpAccountSummary.php. But now it logs in successfully and 
unsuccessfully a few times. It does not spider any other URL's now. It does not find a 
single URL but in "Results", and if I look for this request, I can see that the 
successful requests returned several links but they are not followed at all.


No, lets try with the things I recommended above, if that doesn't work
we'll try giving w3af a cookie via config/http/cookies


Hm. The cookie with the Session-ID is returned by the first call to phpLogin.php. I 
assumed that w3af is using the cookies like a webbrowser does (eg after receiving one, 
always send the content with every further request). But due to the requests in the 
"Results", it does not send the cookie it received before with the next 
requests. It simply does not respect the session cookie. Interestingly, another cookie is 
always used (but there the content is static and no session ID).

Any other idea?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Authenticated spider issues and questions

2018-04-25 Thread Andres Riancho

Kukulkan,

Answers inline,

On Wed, Apr 25, 2018 at 4:33 AM, Volker Schmid  wrote:
> Hi,
>
> I'm new to w3af and start to get deeper into authentication. I use only two
> PlugIns: crawl->web_spider and auth->detailed. The current site is using a
> form in phpLogin.php. This is doing a JS redirect so I use
> phpAccontSummary.php to verify if user was logged in successfully (searching
> there for "Log out").
>
> This is the config for auth-detailed:
> [auth.detailed]
> username = pente...@mysystem.com
> password = EGjv4gmj
> username_field = txtUsername
> password_field = txtPassword
> auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
> check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
> check_string = Log out
> data_format = %u=%U&%p=%P
> follow_redirects = False
> method = POST
> url_encode_params = True
>
>
> Due to the website logs, login for user "Pentest Pentest" (ID 3) was
> successful several times:
>
> 2018-04-25 09:12:25 USER_LOGIN_SUCCESS  Pentest Pentest (3)
> 2018-04-25 09:12:20 USER_LOGIN_SUCCESS  Pentest Pentest (3)
> 2018-04-25 09:12:15 USER_LOGIN_SUCCESS  Pentest Pentest (3)
>
>
> In the GUI log I get this:
>
> [Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as
> pente...@mysystem.com/EGjv4gmj
.
>
> In the console output (using GUI) of w3af I can find such entries:
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP
> code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.11s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is NOT logged into the application

Maybe the web_spider is following the logout link, which is
invalidating the session?

You should ignore logout urls when doing auth scans

> (...a few other spider entries...)
>
> ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.18s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
> web_spider is testing
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
> [web_spider] Crawling
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
> GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned
> HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
> web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;)
> took 0.02s to run
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP
> code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> Can't login into web application as pente...@mysystem.com/EGjv4gmj
>
> So this are very mixed results (sometimes success sometimes not) and I do
> not know why it sometimes reports successful login and sometimes it does
> not?
>
> Due to the request navigator and the results to phpLogin.php there, login
> was always successful if w3af sent the correct login data by POST. I can see
> that phpAccontSummary.php delivered positive results sometimes.
>
> Also, even if it was successful, it seems it does not spider the links found
> in phpAccontSummary.php. All the new links inside there are not listed in
> the URL's found.

Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?

> I can see that w3af does not send the session cookie received during the
> first phpLogin.php all the time. It seems to forget sometimes. If not set,
> the webpage creates a new sessionid and returns it. So the logged in session
> is

[W3af-users] Authenticated spider issues and questions

2018-04-25 Thread Volker Schmid


Hi,

I'm new to w3af and start to get deeper into authentication. I use only two PlugIns: 
crawl->web_spider and auth->detailed. The current site is using a form in phpLogin.php. 
This is doing a JS redirect so I use phpAccontSummary.php to verify if user was logged in 
successfully (searching there for "Log out").

This is the config for auth-detailed:
[auth.detailed]
username = pente...@mysystem.com
password = EGjv4gmj
username_field = txtUsername
password_field = txtPassword
auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
check_string = Log out
data_format = %u=%U&%p=%P
follow_redirects = False
method = POST
url_encode_params = True


Due to the website logs, login for user "Pentest Pentest" (ID 3) was successful 
several times:

2018-04-25 09:12:25 USER_LOGIN_SUCCESS  Pentest Pentest (3)
2018-04-25 09:12:20 USER_LOGIN_SUCCESS  Pentest Pentest (3)
2018-04-25 09:12:15 USER_LOGIN_SUCCESS  Pentest Pentest (3)


In the GUI log I get this:

[Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as 
pente...@mysystem.com/EGjv4gmj


In the console output (using GUI) of w3af I can find such entries:

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
User "pente...@mysystem.com" is NOT logged into the application
POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: 
"txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP code 
"200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
User "pente...@mysystem.com" is currently logged into the application
Login success for pente...@mysystem.com/EGjv4gmj
detailed._login() took 0.11s to run

(...many other spider entries...)

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
User "pente...@mysystem.com" is NOT logged into the application

(...a few other spider entries...)

ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
User "pente...@mysystem.com" is currently logged into the application
Login success for pente...@mysystem.com/EGjv4gmj
detailed._login() took 0.18s to run

(...many other spider entries...)

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
User "pente...@mysystem.com" is NOT logged into the application
web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
web_spider is testing 
"https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
[web_spider] Crawling 
"https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned HTTP code 
"302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;)
 took 0.02s to run
POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: 
"txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP code 
"200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code 
"200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
User "pente...@mysystem.com" is NOT logged into the application
Can't login into web application as pente...@mysystem.com/EGjv4gmj

So this are very mixed results (sometimes success sometimes not) and I do not 
know why it sometimes reports successful login and sometimes it does not?

Due to the request navigator and the results to phpLogin.php there, login was 
always successful if w3af sent the correct login data by POST. I can see that 
phpAccontSummary.php delivered positive results sometimes.

Also, even if it was successful, it seems it does not spider the links found in 
phpAccontSummary.php. All the new links inside there are not listed in the 
URL's found.

I can see that w3af does not send the session cookie received during the first 
phpLogin.php all the time. It seems to forget sometimes. If not set, the webpage 
creates a new sessionid and returns it. So the logged in session is somehow lost. Why 
is it not always sending the session cookie? In Configuration->HTTP 
Config->Cookies, the ignore option is NOT set and the cookie_jar_file is empty. 
Anything to do here?

I'm a little bit lost now because the things I see seem not logical to me at 
all :(

Best

Kukulkan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___

Re: [W3af-users] Authenticated spider issues and questions

Re: [W3af-users] Authenticated spider issues and questions

[W3af-users] Authenticated spider issues and questions

3 matches

Site Navigation

Mail list logo

Footer information