Re: [W3af-users] performance issues post-scan

[Andres Riancho]

Another comment on that, the version that is embedded in the latest
docker might not be the latest from w3af github repo (master branch).

The latest from master might have multiple improvements.


On Wed, Oct 30, 2019 at 2:30 AM Chris Herdt  wrote:
>
> I believe my issue was due to low drive space. I'm going to increase the 
> drive space and give it another try.
>
>
> On Tue, Oct 29, 2019 at 9:29 PM Chris Herdt  wrote:
>>
>> I'm running a Dockerized version of w3af via w3af_console_docker on Kali 
>> Linux. I'm targeting an instance of Mutillidae, using the OWASP_TOP10 
>> profile.
>>
>> The scan appeared to take about 15 minutes, but never completed. I no longer 
>> see web requests to the target server, but for the past 20 hours or so I see 
>> messages like this, with decreasing values for "requests per minute" over 
>> time:
>>
>>> |--|
>>> | Crawling Method: GET | http://192.168.1.57/icons/small/ | Query string:   
>>>|
>>> | (view) using crawl.phpinfo
>>>|
>>> | Auditing Method: GET | http://192.168.1.57/icons/small/ | Query string:   
>>>|
>>> | (view) using audit.frontpage  
>>>|
>>> | Crawl phase: In (None URLs/min) Out (None URLs/min) Pending (None URLs) 
>>> ETA  |
>>> | (None)
>>>|
>>> | Audit phase: In (None URLs/min) Out (None URLs/min) Pending (None URLs) 
>>> ETA  |
>>> | (None)
>>>|
>>> | Requests per minute: 9
>>>|
>>> |--|
>>
>>
>> Other profiles, such as web_infrastructure, finished faster but still had a 
>> substantial delay after the actual scanning appeared to be complete.
>>
>> I saw similar behavior described years ago in this thread, but I'm not sure 
>> if the root cause of that issue was determined:
>> https://sourceforge.net/p/w3af/mailman/message/31150639/
>>
>> Thanks for any insights,
>>
>> --
>> Chris Herdt
>>
>
>
> --
> Chris Herdt
> https://osric.com/chris/
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] New to w3af

[Andres Riancho]

James,

Thanks for your email, comments and questions inline:

On Wed, Sep 18, 2019 at 4:00 PM James Pifer  wrote:
>
> I came across w3af and have it installed (for the most part). With the
> help of docker I'm able to run the console, but I keep getting this when
> I run the gui:
>
> user1@UbuntuDocker:/opt/w3af/extras/docker/scripts$ sudo ./w3af_gui_docker
> [sudo] password for user1:
> root@172.17.0.2's password:
> w3af's requirements are not met, one or more third-party libraries need
> to be installed.
>
> On Ubuntu 12.04 systems please install the following operating system
> packages before running the pip installer:
>  sudo apt-get -y install python-webkit
>
> A script with these commands has been created for you at
> /tmp/w3af_dependency_install.sh
>
> (process:18): Gtk-WARNING **: Locale not supported by C library.
>  Using the fallback 'C' locale.
> /usr/lib/python2.7/dist-packages/gtk-2.0/gtk/__init__.py:57: GtkWarning:
> could not open display
>warnings.warn(str(e), _gtk.Warning)
> user1@UbuntuDocker:/opt/w3af/extras/docker/scripts$
>
>
>
> $ sudo apt-get -y install python-webkit
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> python-webkit is already the newest version (1.1.8-3.1).
>
>
> Not sure where to go from here. Any suggestions?

Got the same error when trying to run it myself.

Tried to build a new docker version and failed to do it in the time I had.

I recommend you try to install w3af in your OS, most likely using virtualenv:
http://docs.w3af.org/en/latest/advanced-install.html#installing-using-virtualenv

> I've run some scans from the console using the target/set target and
> plugins enable all on several URLs trying to prepare for an audit. I
> really have yet to find anything. Maybe our apps are more secure than I
> think and there really is nothing to find. The scans are also very
> quick, whereas Tenable takes a long time to run scans. Is that normal?

Quick is very relative.

Scan times depend on the site size, number of enabled plugins, the
network connection speed, etc.

> Not sure how to know whether it's really working.

To know if the scan is working I recommend enabling the text_file
output plugin with `debug` set to True. Then `tail -f` the file to see
HTTP requests being sent.

> Anyway, really appreciate what the app is doing. I'm not a security
> expert, just an IT guy, so any help is appreciated.
>
> Thanks!
>
>
>
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af as a service

[Andres Riancho]

Not really, any DB you know how to use and maintain will make it.

El jue., 13 de junio de 2019 7:08 p. m., Rafael Barbosa da Silva <
rafae...@gmail.com> escribió:

> Thanks a lot Andres!
>
> Makes a lot of sense.
>
> Is there any DB would you recommend?
>
> Regards.
> Rafael
>
> Em qui, 13 de jun de 2019 às 18:20, Andres Riancho <
> andres.rian...@gmail.com> escreveu:
>
>> Rafael,
>>
>> Thanks for your interest in w3af and using it to build a SaaS.
>> Answers and comments inline:
>>
>> On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva
>>  wrote:
>> >
>> > Hello everyone, how are you?
>> >
>> > I would like to biuld a service that runs w3af and persists results in
>> a database. The idea is provide a web interface where we can run a scan and
>> also navigate through the results. Have any of you guys done something
>> related and would like to share? And even if you have not done so, would
>> you like to suggest a strategy? What about invoke a scan through the web
>> interface? Is there a way to run multiple instances of w3af scans?
>>
>> This is how I would do it, and the ways I have heard others have done
>> it:
>>
>>  * The web interface you show to your user needs to know almost
>> nothing about w3af
>>
>>  * When the user clicks on "start scan" a new w3af scan script [0] is
>> created. Your SaaS will most likely have 3 or 4 different scan script
>> templates, for different use-cases your customers might have. The
>> template is filled with the target URL, credentials, etc. all provided
>> by the user, and then sent to a scan queue.
>>
>>  * The scans just sit in the queue until one of the scan workers gets to
>> them
>>
>>  * Scan workers are EC2 instances that read scan scripts from the
>> queue and execute them. If you want to get fancy, you can measure the
>> scan queue size and do +1 or -1 on the number of scan workers
>> depending on load
>>
>>  * The scan script should be configured to use output.xml_file output.
>> This plugin writes data to disk every ~30 seconds or so.
>>
>>  * The scan worker server will run w3af_console -s script AND another
>> process that monitors the XML file. This process will extract
>> vulnerabilities from the file and save them to a vulnerabilities
>> queue. The process that monitors the XML file should only report new
>> vulnerabilities, no duplicated vulns should be sent to the
>> vulnerabilities queue.
>>
>>   * Another process will read vulnerabilities from the queue and store
>> them to the DB. The front-end web application reads vulnerabilities
>> from the DB. Stuff like marking them as a false positive are handled
>> in the DB, w3af knows nothing about that.
>>
>>   * Just like there is a queue for vulnerabilities, you could add a
>> queue for scan progress. The XML file also contains that information.
>>
>> Makes sense?
>>
>> [0] https://github.com/andresriancho/w3af/tree/master/scripts
>>
>> > Sorry about too many questions
>> > Regards.
>> > Rafael
>> > ___
>> > W3af-users mailing list
>> > W3af-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af as a service

[Andres Riancho]

Rafael,

Thanks for your interest in w3af and using it to build a SaaS.
Answers and comments inline:

On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva
 wrote:
>
> Hello everyone, how are you?
>
> I would like to biuld a service that runs w3af and persists results in a 
> database. The idea is provide a web interface where we can run a scan and 
> also navigate through the results. Have any of you guys done something 
> related and would like to share? And even if you have not done so, would you 
> like to suggest a strategy? What about invoke a scan through the web 
> interface? Is there a way to run multiple instances of w3af scans?

This is how I would do it, and the ways I have heard others have done it:

 * The web interface you show to your user needs to know almost
nothing about w3af

 * When the user clicks on "start scan" a new w3af scan script [0] is
created. Your SaaS will most likely have 3 or 4 different scan script
templates, for different use-cases your customers might have. The
template is filled with the target URL, credentials, etc. all provided
by the user, and then sent to a scan queue.

 * The scans just sit in the queue until one of the scan workers gets to them

 * Scan workers are EC2 instances that read scan scripts from the
queue and execute them. If you want to get fancy, you can measure the
scan queue size and do +1 or -1 on the number of scan workers
depending on load

 * The scan script should be configured to use output.xml_file output.
This plugin writes data to disk every ~30 seconds or so.

 * The scan worker server will run w3af_console -s script AND another
process that monitors the XML file. This process will extract
vulnerabilities from the file and save them to a vulnerabilities
queue. The process that monitors the XML file should only report new
vulnerabilities, no duplicated vulns should be sent to the
vulnerabilities queue.

  * Another process will read vulnerabilities from the queue and store
them to the DB. The front-end web application reads vulnerabilities
from the DB. Stuff like marking them as a false positive are handled
in the DB, w3af knows nothing about that.

  * Just like there is a queue for vulnerabilities, you could add a
queue for scan progress. The XML file also contains that information.

Makes sense?

[0] https://github.com/andresriancho/w3af/tree/master/scripts

> Sorry about too many questions
> Regards.
> Rafael
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] JavaScript Crawling: Beta testers wanted!

[Andres Riancho]

List,

Its been a long time, and the list is very inactive, but if you've
been paying attention to the GitHub commit logs [0] you'll notice that
the project is very much alive and improving every day!

At this point I'm looking for beta-testers for the initial
implementation of our JavaScript crawler. The crawler is based on
headless Chrome and can (at least for now) load a URL, click on all
page elements, and capture HTTP requests generated by Chrome using an
HTTP proxy.

If you have a few minutes to spare please download the latest from
the `feature/js` branch:

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout feature/js
virtualenv venv
. venv/bin/activate
./w3af_console

That will prompt you to install all dependencies, please do so and
then follow the instructions in the chrome/README.md [1]. Make sure to
change the target in the scan script!

The goal is to find issues with this new and beta feature. You'll
most likely get crashes, exceptions, scans that take a lot of time,
etc. Please report all those to w3af's issue tracker [2] to get them
fixed.

Thanks!

[0] https://github.com/andresriancho/w3af/commits/develop
[1] 
https://github.com/andresriancho/w3af/tree/feature/js/w3af/core/controllers/chrome
[2] https://github.com/andresriancho/w3af/issues/new

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] REST API authenticated scan help

[Andres Riancho]

Snehil,

Answers and comments inline,

On Fri, Sep 14, 2018 at 10:03 AM  wrote:
>
> Hello,
>
> Recently, I started exploring REST API
> of w3af and stumbled upon few things which I couldn't understand and
> thought of seeking your advice.
>
>   From the documentation it's understood that in order to initiate a scan
> following is the format :
>
> {
>   "target_urls": ["http://127.0.0.1:8000/audit/sql_injection/;],
>   "scan_profile":
> "[grep.strange_headers]\n\n[crawl.web_spider]\nonly_forward =
> False\nfollow_regex = .*\nignore_regex = \n\n"
> }
>
> w3af features different profiles which are located under
> https://github.com/andresriancho/w3af/tree/master/profiles
>
> Lets say, if I want to use OWASP TOP 10 profile for an authenticated
> scan using REST API /scan endpoint, what should be the format in the
> profile for form based authentication. I have checked the useful auth
> plugin but doesn't understand how to use these plugin inside a profile.

Something you could so is to run the w3af_gui, create your
configuration there, and then save the profile to a file. After saving
you can use it with the w3af REST API.

> for example: In OWASP TOP 10 profile, I can see under http settings
> options are there for basic authentication
> [http-settings]
> proxy_port = 8080
> url_parameter =
> never_404 =
> headers_file =
> proxy_address =
> basic_auth_domain =
> always_404 =
> max_http_retries = 2
> ntlm_auth_user =
> ntlm_auth_passwd =
> ignore_session_cookies = False
> timeout = 0
> user_agent = w3af.org
> basic_auth_user =
> basic_auth_passwd =
>
> My question is, how do I use form based credential/options in this
> profile ?
>
> I would be really grateful , if someone can answer this question for
> me with the help of an example or required format to perform such type
> of authenticated scan via REST API endpoint.
>
>
>
> Please provide an example format so that I can understand it clearly.
>
> Regards
> Snehil Khare
>
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Install issues

[Andres Riancho]

Oh, that is a bug. Sorry!

Fixed it here:

https://github.com/andresriancho/w3af/commit/3012a3f94fa8dfa9136a0292491c90766dae132e

Also I merged develop into master, so everyone will get this fix.

Thanks,
On Tue, Aug 21, 2018 at 10:45 AM Rafael Barbosa da Silva
 wrote:
>
> Hi,
>
> I'm trying to make w3af work on a VM on DigitalOcean, with Ubuntu 16.04.
>
> After following the steps on docs, I'm facing this when execute ./w3af_console
>
> Traceback (most recent call last):
>   File "./w3af_console", line 13, in 
> dependency_check()
>   File 
> "/home/w3af/w3af/w3af/core/controllers/dependency_check/dependency_check.py", 
> line 178, in dependency_check
> external_commands = get_missing_external_commands(platform)
>   File 
> "/home/w3af/w3af/w3af/core/controllers/dependency_check/dependency_check.py", 
> line 99, in get_missing_external_commands
> return platform.get_missing_external_commands()
>   File 
> "/home/w3af/w3af/w3af/core/controllers/dependency_check/platforms/base_platform.py",
>  line 54, in get_missing_external_commands
> instructions.extend(handler.__func__())
>   File 
> "/home/w3af/w3af/w3af/core/controllers/dependency_check/platforms/base_platform.py",
>  line 60, in retirejs_handler
> if retirejs_is_installed():
>   File 
> "/home/w3af/w3af/w3af/core/controllers/dependency_check/external/retirejs.py",
>  line 37, in retirejs_is_installed
> version = subprocess.check_output('%s --version' % path_to_retire, 
> shell=True)
>   File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
> raise CalledProcessError(retcode, cmd, output=output)
> subprocess.CalledProcessError: Command '/usr/local/bin/retire --version' 
> returned non-zero exit status 127
>
> Can you give a hand?
>
> I already got it working from apt-get install w3af, but want to use the 
> newest version, building from source.
>
>
> Thanks.
> Rafael
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Holm Security is sponsoring w3af!

[Andres Riancho]

List,

Prepare yourself for great news: Holm Security , an information
security solutions provider based in Sweden, is sponsoring the w3af
project!

The interesting news and what is coming can be found at
http://w3af.org/blog , but just in case you were wondering… here are
some FAQs:

#0 How is Holm Security sponsoring w3af?
Holm Security pays me as a Python developer. I usually work 20 to 40
hours a month for Holm Security.

#1 Why does Holm Security need your help?
Holm Security scans thousands of customer sites each day using w3af.
They identify a lot of bugs, performance issues, false positives and
receive feature requests from customers. Those issues need to be fixed
in order to provide value to their customers.

I help them fix the issues and code the new features. Holm Security
has a development team, but for some tasks it is better to outsource
it.

It could have been any Python developer, but it was more convenient to
hire the guy that wrote 90% of the w3af code ;-)


#2 How will this change the w3af project?
Holm Security's sponsorship will increase development speed and make
w3af much better. w3af project will remain open source, no change in
license, no change in how you can use it.

Holm Security and I want the same thing: make the Internet a safer
place providing free access to great open source tools.

#3 All the code you write for Holm Security makes it to the public
GitHub repository?
Yes, that is part of our agreement.

#4 How can my company sponsor w3af?
Contact me at andres.rian...@gmail.com

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Can't find files that contain the vulnerabilities' description for report generation

[Andres Riancho]

All pending tasks are done!

The vulndb can now be translated and python-sdk + w3af will allow the
user to set the language parameter in the misc settings. Setting that
parameter to, lets say, PT, will make w3af write all vulnerability
descriptions in Portuguese.

On Thu, May 3, 2018 at 9:17 PM, Amanda <amanda.barb...@unesp.br> wrote:
> Hi Andres,
>
> I think it's a great idea to translate it through the python-sdk. I'll
> definetely contribute with the translation when the structure gets ready.
>
> Please let me know when it starts working 100%. And thanks again for
> your work with W3af, it's fantastic!
>
> Regards,
>
> Amanda
>
>
> Em 03-05-2018 13:07, Andres Riancho escreveu:
>> Amanda,
>>
>> Sorry for the very late response, but I was unable to get to this sooner.
>>
>> The vulndb now supports translations, which are documented here:
>>
>> https://github.com/vulndb/data/wiki/Translations
>>
>> The python-sdk [0] for vulndb (code that reads the DB in python)
>> was modified to be able to support translations. There are two things
>> missing to get this to work 100%:
>> * Minor architecture decision in python-sdk to determine which
>> is the best way for the developer to specify the language to use
>> * Minor changes to w3af to let the user choose which language
>> to use in the vulndb, and then use it.
>>
>> And of course, the translations to different languages in vulndb/data :-)
>>
>> If you're still interested, I can take a look at Crowdin. It
>> should be possible to translate everything following the Translations
>> wiki page, but I understand that it requires some technical knowledge
>> (git, fork, pull request).
>>
>> [0] https://github.com/vulndb/python-sdk
>>
>> Regards,
>>
>> On Fri, Mar 16, 2018 at 2:00 PM, Amanda <amanda.barb...@unesp.br> wrote:
>>> Hello!
>>>
>>> Thanks for answering, that was exactly what I was looking for!
>>>
>>> The only tool I know for translation of this kind of software is
>>> https://crowdin.com/. I'm involved in the ZAP Proxy translation project
>>> (https://crowdin.com/project/owasp-zap/pt-br#), and I understood that,
>>> when a translation is made, it automatically updates the source code (I
>>> don't know if that's the standard procedure or
>>> if they had to configure that manually). It seems like a nice tool to
>>> translate softwares and might work for W3af.
>>>
>>> About the issue [2], I'm not sure I understood the problem correctly.
>>> Could you explain it?
>>>
>>> Thanks for the help, and for this amazing software!
>>>
>>> Amanda
>>>
>>>
>>> Em 16/03/2018 10:44, Andres Riancho escreveu:
>>>> Amanda,
>>>>
>>>> Thanks for your email and sorry for the late response.
>>>>
>>>> The vulnerability database data is in this repository [0] and
>>>> there have been some efforts to translate it to other languages [1][2]
>>>> but sadly I've been unable to deliver the fix for [2] which is a
>>>> blocker for translations.
>>>>
>>>> I'm completely new to the translation space, do you know about any
>>>> tools we can use to help with the translations? If I complete [2], how
>>>> would you provide the translations? A pull request?
>>>>
>>>> [0] https://github.com/vulndb/data
>>>> [1] https://github.com/vulndb/data/issues/26
>>>> [2] https://github.com/vulndb/data/issues/30
>>>>
>>>> On Mon, Mar 5, 2018 at 4:48 PM, Amanda <amandabarb...@sjrp.unesp.br> wrote:
>>>>> Hello!
>>>>>
>>>>> I would like to translate the vulnerabilities' descriptions (name,
>>>>> description, long description) in the XML reports to Brazilian Portuguese.
>>>>>
>>>>> However, I couldn't find the files that contain this descriptions and
>>>>> that are used to generate the XML reports. Can someone help me?
>>>>>
>>>>> Thank you in advance.
>>>>>
>>>>>
>>>>> Amanda
>>>>>
>>>>>
>>>>> --
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> ___
>>>>> W3af-users mailing list
>>>>> W3af-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>
>>> --
>>> Amanda Barbosa Sobrinho
>>> Bacharelado em Ciência da Computação
>>> ACME! CyberSecurity Research Labs
>>> UNESP - São José do Rio Preto, SP
>>>
>>>
>>
>>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Can't find files that contain the vulnerabilities' description for report generation

[Andres Riancho]

Amanda,

Sorry for the very late response, but I was unable to get to this sooner.

The vulndb now supports translations, which are documented here:

https://github.com/vulndb/data/wiki/Translations

The python-sdk [0] for vulndb (code that reads the DB in python)
was modified to be able to support translations. There are two things
missing to get this to work 100%:
* Minor architecture decision in python-sdk to determine which
is the best way for the developer to specify the language to use
* Minor changes to w3af to let the user choose which language
to use in the vulndb, and then use it.

And of course, the translations to different languages in vulndb/data :-)

If you're still interested, I can take a look at Crowdin. It
should be possible to translate everything following the Translations
wiki page, but I understand that it requires some technical knowledge
(git, fork, pull request).

[0] https://github.com/vulndb/python-sdk

Regards,

On Fri, Mar 16, 2018 at 2:00 PM, Amanda <amanda.barb...@unesp.br> wrote:
> Hello!
>
> Thanks for answering, that was exactly what I was looking for!
>
> The only tool I know for translation of this kind of software is
> https://crowdin.com/. I'm involved in the ZAP Proxy translation project
> (https://crowdin.com/project/owasp-zap/pt-br#), and I understood that,
> when a translation is made, it automatically updates the source code (I
> don't know if that's the standard procedure or
> if they had to configure that manually). It seems like a nice tool to
> translate softwares and might work for W3af.
>
> About the issue [2], I'm not sure I understood the problem correctly.
> Could you explain it?
>
> Thanks for the help, and for this amazing software!
>
> Amanda
>
>
> Em 16/03/2018 10:44, Andres Riancho escreveu:
>> Amanda,
>>
>> Thanks for your email and sorry for the late response.
>>
>> The vulnerability database data is in this repository [0] and
>> there have been some efforts to translate it to other languages [1][2]
>> but sadly I've been unable to deliver the fix for [2] which is a
>> blocker for translations.
>>
>> I'm completely new to the translation space, do you know about any
>> tools we can use to help with the translations? If I complete [2], how
>> would you provide the translations? A pull request?
>>
>> [0] https://github.com/vulndb/data
>> [1] https://github.com/vulndb/data/issues/26
>> [2] https://github.com/vulndb/data/issues/30
>>
>> On Mon, Mar 5, 2018 at 4:48 PM, Amanda <amandabarb...@sjrp.unesp.br> wrote:
>>> Hello!
>>>
>>> I would like to translate the vulnerabilities' descriptions (name,
>>> description, long description) in the XML reports to Brazilian Portuguese.
>>>
>>> However, I couldn't find the files that contain this descriptions and
>>> that are used to generate the XML reports. Can someone help me?
>>>
>>> Thank you in advance.
>>>
>>>
>>> Amanda
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> W3af-users mailing list
>>> W3af-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>
> --
> Amanda Barbosa Sobrinho
> Bacharelado em Ciência da Computação
> ACME! CyberSecurity Research Labs
> UNESP - São José do Rio Preto, SP
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Authenticated spider issues and questions

[Andres Riancho]

Kukulkan,

The authentication plugins do not send the login / check URLs to
the core. So any URL you put in the configuration, or is a result of
requesting those URLs will not make it to other plugins / the crawler.

That was the original design and is working as expected. Might not
be ideal for cases (yours?)... we'll see!

When the user configures authentication plugins, those are run at
the beginning of the scan [0][1], before sending "almost any other
request" and before the crawling plugins. This means that you could
configure w3af like this:
* auth plugin logins the scanner
* the scanner will re-use cookies just like any browser (like
you mention above)
* crawl plugin will re-use cookies to follow the links you set
in the target. Remember that you can set the target to a comma
separated list of URLs, that might help.

Those steps will be run in that order, so the crawler should have
cookies when reaching the target.

The GUI is NOT maintained and I don't recommend using it. Use the
console or REST API.

w3af doesn't support javascript, so it won't be able to extract
"phpAccountSummary.php" from:

```

window.setTimeout("window.location.href = 'phpAccountSummary.php';", 0);

```

If you want me to help a little bit more, please do send me scan
logs with debugging information and HTTP requests (both files are
generated by text_file plugin)

[0] 
https://github.com/andresriancho/w3af/blob/39004228300e1eb38ae0cdb3946725e7a3adb8c8/w3af/core/controllers/core_helpers/strategy.py#L649
[1] 
https://github.com/andresriancho/w3af/blob/39004228300e1eb38ae0cdb3946725e7a3adb8c8/w3af/core/controllers/core_helpers/strategy.py#L111-L112



On Thu, Apr 26, 2018 at 7:31 AM, Volker Schmid  wrote:
> Hello Andres,
>
> I created a cookie file and tried again. Now it seems to use the cookie, but
> spider is still not successful. I can see that it spidered several pages but
> it does not follow the links inside. Looks like it does not even try to
> spider the page that was found in login page result like this:
>
> 
> window.setTimeout("window.location.href = 'phpAccountSummary.php';", 0);
> 
>
> It just inspects the few pages linked on the start and login page. But it
> does not spider the pages behind. I thought it would also use the page I set
> for login verification (phpAccountSummary.php). It opens it, even successful
> after login, but it does not spider the links inside there.
>
> Again, if I set the spider target directly to
> https://vsprovider2.de.mysystem.com/phpAccountSummary.php, the
> "Results"->"URLs" stays completely empty.
>
> I also have to restart w3af GUI each time I scanned because any further
> action leads to crashes, strange GUI behaviour (missing values in scan
> config fields) or missing logs and URL's in "Results" view occasionally. The
> GUI seems very buggy to me.
>  Is there some other, more stable version available? And is there a more
> sophisticated authentication/spider PlugIn available?
>
> Thanks,
>
> Kukulkan



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Authenticated spider issues and questions

[Andres Riancho]

Kukulkan,

Answers inline,

On Wed, Apr 25, 2018 at 4:33 AM, Volker Schmid  wrote:
> Hi,
>
> I'm new to w3af and start to get deeper into authentication. I use only two
> PlugIns: crawl->web_spider and auth->detailed. The current site is using a
> form in phpLogin.php. This is doing a JS redirect so I use
> phpAccontSummary.php to verify if user was logged in successfully (searching
> there for "Log out").
>
> This is the config for auth-detailed:
> [auth.detailed]
> username = pente...@mysystem.com
> password = EGjv4gmj
> username_field = txtUsername
> password_field = txtPassword
> auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
> check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
> check_string = Log out
> data_format = %u=%U&%p=%P
> follow_redirects = False
> method = POST
> url_encode_params = True
>
>
> Due to the website logs, login for user "Pentest Pentest" (ID 3) was
> successful several times:
>
> 2018-04-25 09:12:25 USER_LOGIN_SUCCESS  Pentest Pentest (3)
> 2018-04-25 09:12:20 USER_LOGIN_SUCCESS  Pentest Pentest (3)
> 2018-04-25 09:12:15 USER_LOGIN_SUCCESS  Pentest Pentest (3)
>
>
> In the GUI log I get this:
>
> [Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as
> pente...@mysystem.com/EGjv4gmj
.
>
> In the console output (using GUI) of w3af I can find such entries:
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP
> code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.11s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is NOT logged into the application

Maybe the web_spider is following the logout link, which is
invalidating the session?

You should ignore logout urls when doing auth scans

> (...a few other spider entries...)
>
> ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.18s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
> web_spider is testing
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
> [web_spider] Crawling
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;
> GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned
> HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
> web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php;)
> took 0.02s to run
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com=EGjv4gmj" returned HTTP
> code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> Can't login into web application as pente...@mysystem.com/EGjv4gmj
>
> So this are very mixed results (sometimes success sometimes not) and I do
> not know why it sometimes reports successful login and sometimes it does
> not?
>
> Due to the request navigator and the results to phpLogin.php there, login
> was always successful if w3af sent the correct login data by POST. I can see
> that phpAccontSummary.php delivered positive results sometimes.
>
> Also, even if it was successful, it seems it does not spider the links found
> in phpAccontSummary.php. All the new links inside there are not listed in
> the URL's found.

Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?

> I can see that w3af does not send the session cookie received during the
> first phpLogin.php all the time. It seems to forget sometimes. If not set,
> the webpage creates a new sessionid and returns it. So the logged in session
> is 

Re: [W3af-users] Can't find files that contain the vulnerabilities' description for report generation

[Andres Riancho]

Amanda,

Thanks for your email and sorry for the late response.

The vulnerability database data is in this repository [0] and
there have been some efforts to translate it to other languages [1][2]
but sadly I've been unable to deliver the fix for [2] which is a
blocker for translations.

I'm completely new to the translation space, do you know about any
tools we can use to help with the translations? If I complete [2], how
would you provide the translations? A pull request?

[0] https://github.com/vulndb/data
[1] https://github.com/vulndb/data/issues/26
[2] https://github.com/vulndb/data/issues/30

On Mon, Mar 5, 2018 at 4:48 PM, Amanda  wrote:
> Hello!
>
> I would like to translate the vulnerabilities' descriptions (name,
> description, long description) in the XML reports to Brazilian Portuguese.
>
> However, I couldn't find the files that contain this descriptions and
> that are used to generate the XML reports. Can someone help me?
>
> Thank you in advance.
>
>
> Amanda
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] can I scan when I crawl the site?

[Andres Riancho]

Sorry but I failed to understand the question. Could you please rephrase
it?

El 5 sept. 2017 12:22 a. m., "MengYuan Yang"  escribió:

>
> from the document, i know w3af will request a set of urls, then it scan
> they all.
>
> can I feed w3af some urls, then i continue crawl and feed it another?
>
> I can split the scan task to many and scan it part to part, but is there a
> easy way to achieve scan and crawl same time?
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] does w3af handle javascript

[Andres Riancho]

Donald,

Sadly there is no javascript engine in w3af. There are plans [0] for
implementing a javascript crawler, but I haven't worked on that idea in a
while and have no plans on doing it either.

[0] https://github.com/andresriancho/w3af/milestone/9

On Mon, May 15, 2017 at 3:47 PM, Don Raikes  wrote:

> Hello,
>
>
>
> I am new to w3af, and am attempting to test a web application that
> utilizes javascript for things like the login page and many other features,
> in fact it is a mostly javascript-based application.
>
>
>
> Does w3af work with this type of application?
>
> Is there anything special I need to do to get it to work?
>
>
>
> My first attempt resulted in no successful login to the application, but
> several broken links fou nd.
>
>
>
> Thanks in advance,
>
> Donald
>
>
>
> --
> Thank you, Donald
>
> [image: Oracle] 
> Donald Raikes | Accessibility Specialist / QA Security Point of Contact
> Phone: +15205744033
> Oracle Application Development Framework
> STREET | , Arizona ZIPCODE
>
> [image: Green Oracle] 
>
> Oracle is committed to developing practices and products that help protect
> the environment
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] most recent tutorials

[Andres Riancho]

Ali,

I believe docs.w3af.org is the best source for w3af information
and how to perform different tasks

On Sat, Nov 5, 2016 at 1:38 PM, Ali Khalfan  wrote:
> Hi Andres,
>
>
> Where can I find the most recent tutorials related to w3af?  I haven't
> been using it for a while and was considering adding it to my swiss army
> knife of pen test tools.
>
>
>
> Thanks,
>
> Ali
>
>
>
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] CVE/CVSS-W3af compatibility

[Andres Riancho]

Waqas,

Some vulnerabilities, such as SQL injection should display vulndb
data [0] in the UI and some output reports. vulndb references owasp
top10, and cwe. The complete list of vulnerabilities which include
this description is here [1]. This is only available in the latest
w3af versions.

[0] https://github.com/vulndb/data/blob/master/db/45-sql-injection.json
[1] https://github.com/vulndb/data/tree/master/db

On Wed, Nov 16, 2016 at 7:57 AM, Waqas Aman  wrote:
> Hi,
> I just started using the tool. I was wondering whether the w3af scan results
> include the CVE/CVSS information of the vulnerabilities found, or
> information of other standard vuln.DBs/standards for the matter. I didn't
> see such info yet, may be I am missing it.
> IF not provided natively,, are there any external plugins that can be
> installed on the w3af to add such info to the vuln. found. And, if there
> isnt any such plugins available, are there any other opensource web vuln
> scanners whose scans reveal CVE/CVSS or related information?
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] how to update pluggin

[Andres Riancho]

Mohsen,

I've been linking to this document too often these last weeks:
"How To Ask Questions The Smart Way" [0]. Sorry but based on your
"question" I can only guess what your problem is. Please explain it a
little bit more, follow guidelines from [0] and most likely someone
will answer.

[0] http://www.catb.org/esr/faqs/smart-questions.html

On Fri, Sep 30, 2016 at 1:08 PM, mohsen Abbaspour
 wrote:
> hi
>
> i want to   get   pluggin and   add this pluggin to another w3af  app  on
> another system that cant connect to internet
> how  to get pluggin
>
> tnx
>
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] how many attack pluggin and pattern are there in w3af ?

[Andres Riancho]

Please take a moment to read this document [0] and try again :)

[0] http://www.catb.org/esr/faqs/smart-questions.html

On Fri, Sep 23, 2016 at 5:31 AM, mohsen Abbaspour
 wrote:
> hi
> i have  a question
> how many   attack  plugin and pattern  are there in w3af??
> pleaseintroduce more about it
> tnx
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Regarding scan of w3af

[Andres Riancho]

Can't repro if you don't give me the details

On Thu, Sep 22, 2016 at 8:26 AM, Suhas Lalige <suhaslal...@gmail.com> wrote:

> I had enabled the same plugins and the target was also the same for the
> second time. It was the same repetition of the first step but i'm not
> getting the same result
>
> On 20 September 2016 at 23:52, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>
>> Suhas,
>>
>> Well... most likely the two scans had different plugins enabled.
>> But if not... is there any way I can reproduce this potential issue?
>>
>> On Tue, Sep 20, 2016 at 11:44 AM, Suhas Lalige <suhaslal...@gmail.com>
>> wrote:
>> > Hi all
>> > I'm new to w3af. I tried running the scan by enabling crawl and audit
>> > plugin, first time I got SQL injection vulnerabilities second time when
>> I
>> > repeated it again I could not find any vulnerabilities please help me
>> out in
>> > solving this issue
>> > Thanks
>> > Suhas
>> >
>> >
>> > 
>> --
>> >
>> > ___
>> > W3af-users mailing list
>> > W3af-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
> 
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[Andres Riancho]

Ah, your initial bug report never mentioned pexpect.

^J is a control char, new line according to [0]. This doesn't seem to
be a w3af problem.

[0] http://www.robelle.com/smugbook/ascii.html

On Fri, Sep 23, 2016 at 3:20 PM, ravi keerthi m d
<ravikeerth...@gmail.com> wrote:
> Even I tried the same way it works..  But while using pexpect python module
> I'm facing issue..
>
> Let's think it's a pexpect issue,  but the same module works for Metasploit,
> nessus,  etc..
>
> On Sep 23, 2016 11:45 PM, "Andres Riancho" <andres.rian...@gmail.com> wrote:
>>
>> Works on my PC (tm)
>>
>> [pablo:/home/pablo] 35m40s $ ssh pablo@127.0.0.1
>> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
>> ECDSA key fingerprint is a0:6d:ef:23:e0:e0:0a:3a:63:67:cd:1d:4f:79:4d:4e.
>> Are you sure you want to continue connecting (yes/no)? yes
>> Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
>> pablo@127.0.0.1's password:
>> Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-96-generic x86_64)
>>
>>  * Documentation:  https://help.ubuntu.com/
>>
>> Last login: Mon Aug  8 13:59:49 2016
>> [pablo@eulogias:/home/pablo] 1 $ cd pch/w3af/
>> [pablo@eulogias:/home/pablo/pch/w3af] master ± ./w3af_console
>> w3af>>> plugins
>> w3af/plugins>>> back
>> w3af>>> exit
>>
>> Liked it? Donate some money!
>>
>> [pablo@eulogias:/home/pablo/pch/w3af] master 12s ±
>>
>>
>>
>> On Thu, Sep 22, 2016 at 4:42 PM, ravi keerthi m d
>> <ravikeerth...@gmail.com> wrote:
>> >
>> >> > Hi,
>> >> >
>> >> > Manually I am able to execute my w3af commands successfully. When
>> >> > trying
>> >> > to
>> >> > execute same w3af commands using a ssh connection then it is
>> >> > appending a
>> >> > ^J,
>> >> > so whatever commands I am executing it is executing like "^Jplugins".
>> >> >
>> >> >
>> >> > Example:
>> >> > root@kali# w3af_console
>> >> > w3af >>> ^J
>> >> >
>> >> > this is the first output after executing w3af_console using ssh
>> >> > connection
>> >> > handler, now when I execute "plugins" command the output looks like
>> >> > this
>> >> >
>> >> >
>> >> > root@kali# w3af_console
>> >> > w3af >>> ^Jplugins
>> >> >
>> >> > It is saying command not found.
>> >> >
>> >> >
>> >> > Can you please help me out in this. Because using same ssh connection
>> >> > handler I am able to run metasploit framework commands on msfconsole.
>> >> >
>> >> >
>> >> > Thanks,
>> >> > Ravi
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> Project Leader at w3af - http://w3af.org/
>> >> Web Application Attack and Audit Framework
>> >> Twitter: @w3af
>> >> GPG: 0x93C344F3
>> >
>> >
>> >
>> > --
>> >
>> > ___
>> > W3af-users mailing list
>> > W3af-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[Andres Riancho]

Works on my PC (tm)

[pablo:/home/pablo] 35m40s $ ssh pablo@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is a0:6d:ef:23:e0:e0:0a:3a:63:67:cd:1d:4f:79:4d:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
pablo@127.0.0.1's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Aug  8 13:59:49 2016
[pablo@eulogias:/home/pablo] 1 $ cd pch/w3af/
[pablo@eulogias:/home/pablo/pch/w3af] master ± ./w3af_console
w3af>>> plugins
w3af/plugins>>> back
w3af>>> exit

Liked it? Donate some money!

[pablo@eulogias:/home/pablo/pch/w3af] master 12s ±



On Thu, Sep 22, 2016 at 4:42 PM, ravi keerthi m d
 wrote:
>
>> > Hi,
>> >
>> > Manually I am able to execute my w3af commands successfully. When trying
>> > to
>> > execute same w3af commands using a ssh connection then it is appending a
>> > ^J,
>> > so whatever commands I am executing it is executing like "^Jplugins".
>> >
>> >
>> > Example:
>> > root@kali# w3af_console
>> > w3af >>> ^J
>> >
>> > this is the first output after executing w3af_console using ssh
>> > connection
>> > handler, now when I execute "plugins" command the output looks like this
>> >
>> >
>> > root@kali# w3af_console
>> > w3af >>> ^Jplugins
>> >
>> > It is saying command not found.
>> >
>> >
>> > Can you please help me out in this. Because using same ssh connection
>> > handler I am able to run metasploit framework commands on msfconsole.
>> >
>> >
>> > Thanks,
>> > Ravi
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Regarding scan of w3af

[Andres Riancho]

Suhas,

Well... most likely the two scans had different plugins enabled.
But if not... is there any way I can reproduce this potential issue?

On Tue, Sep 20, 2016 at 11:44 AM, Suhas Lalige  wrote:
> Hi all
> I'm new to w3af. I tried running the scan by enabling crawl and audit
> plugin, first time I got SQL injection vulnerabilities second time when I
> repeated it again I could not find any vulnerabilities please help me out in
> solving this issue
> Thanks
> Suhas
>
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af on owasp

[Andres Riancho]

Shreyas,

I believe that your question is way too open. To answer it someone
would have to spend considerable time setting up the environment,
running w3af, etc.

If you've got the time, please read [0]: "In the world of hackers,
the kind of answers you get to your technical questions depends as
much on the way you ask the questions as on the difficulty of
developing the answer. This guide will teach you how to ask questions
in a way more likely to get you a satisfactory answer."

[0] http://www.catb.org/esr/faqs/smart-questions.html

Regards,

On Thu, Sep 15, 2016 at 2:34 PM, Shreyas M R  wrote:
> I ran w3af on owaspbwa I could not exploit the vulns.
> Can anyone help me with the plugin details and configuration
>
>
> Awaiting for reply
>
> Thanks and Regards
>
>
>
> Shreyas M R
> about.me/shreyasmrs
>
>
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] HTTP redirect

[Andres Riancho]

I believe the answer is in the authentication part of docs [0], most
likely in [1].

Regarding 2FA, the way I would do it is to authenticate using a
browser, then get the cookie and set it in w3af as explained in [1]

[0] http://docs.w3af.org/en/latest/authentication.html
[1] http://docs.w3af.org/en/latest/authentication.html#setting-http-cookie

On Thu, Sep 1, 2016 at 9:16 PM, Vimal SRINIVASAN  wrote:
> Nice point highlighted by Blaharski. I am curious what if the SSO have 2FA.
>
> Regards,
> Vimal.
>
>
> On Sep 1, 2016 11:11 PM, "Blaharski, Jared" 
> wrote:
>>
>> To Whom It May Concern:
>>
>>
>>
>> The website that we would like to scan has a SSO system and a HTTP
>> redirect. Will your software have any trouble with handling that when doing
>> the crawl through the website?
>>
>>
>>
>> --
>>
>> ___
>> W3af-users mailing list
>> W3af-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3AF scan behaviour (now in users list)

[Andres Riancho]

Tiago,

On Sat, Jul 23, 2016 at 12:32 PM, Tiago Vieira  wrote:
> Hello,
>
> My name is Tiago, I'm doing a master thesis in web security and I'm using
> w3af to perform some tests.
>
> My question is related with the scan, when we select a URL to attack, does
> the application performs posts on that URL?

Most likely not, it depends on the plugins you enabled.

If you enabled the web_spider plugin it will perform a GET to the URL,
retrieve the forms, and perform POST on those forms.

> I've tried manual requests and fuzzing but this does not allow simple
> parametrization for multiple requests and I would prefer using the available
> plugins.
>
> One of the applications I'm testing has several assync requests and I wanted
> to test each one of them with the available plugins.

You may want to read:
http://docs.w3af.org/en/latest/advanced-use-cases.html

> Thank you
> Best regards
>
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.http://sdm.link/zohodev2dev
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] How to do w3af_gui settings of spider_man

[Andres Riancho]

I believe you can't fix this issue by changing any settings. If
possible follow these [0] steps to report a bug.

[0] http://docs.w3af.org/en/latest/report-a-bug.html

On Mon, Jun 13, 2016 at 1:02 AM, Kazuo Fukukawa
 wrote:
> To Whom It May Concern:
>
> Thank you so much for this. Just Now I do w3af first time.
> I checked Mailing Lists of w3af-users, but I could not find any Informations 
> about this.
>
> I have tried to check my Web site (include Japanese characters) with 
> w3af spider_man proxy using Firefox.
> But I met that Japanese Characters are changed, English Characters are not 
> changed.
> So I could NOT access all pages in my Web site (include Japanese characters) 
> correctly.
> I would like to know how I should do w3af_gui settings (spider_man or 
> other) to avoid this issue.
>
> Of course, Japanese Characters are NOT changed without w3af spider_man proxy.
>
> w3af in ubuntu 14.04
>   Version: 1.7.6
>   Revision: 5aaef986c5-17
>   Branch: master
>   Local changes:No
>
> Best Regards,
> Fukukawa
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] incredibly slow crawling and auditing

[Andres Riancho]

On Fri, Jan 8, 2016 at 6:40 AM, Vojtěch Polášek  wrote:
> Greetings,
> I am testing a web application with lots of Javascript with W3AF. I use
> spider_man to gather starting information and I use almost all audit
> plugins but no other crawling plugins.
> I browsed just through two pages and submitted one form with spider_man
> to get some starting data.
> Unfortunatelly W3AF scans the application for terribly long time. It
> goes from for example 300 requests per minute to 10 per minute and still
> going lower.
> When I press enter during scanning it is showing still the same crawling
> and auditing url, just the number of requests is dropping.
> I can post you some more information about used plugins if you need it.
> Why is this happening?

I've seen this issue too, not sure why it happens, might be related
with [0] but I'm unsure.

[0] https://github.com/andresriancho/w3af/issues/12505

> Thanks and best regards,
> Vojta
>
>
> --
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Launch scan after form submit

[Andres Riancho]

I believe you'll have to use something like Celery or Python RQ [0] to
queue the job and run it in workers.

The worker will receive the URL as parameter and run (almost) the same
steps as start() in console UI.

[0] http://python-rq.org/

On Sun, Dec 13, 2015 at 1:15 PM, Luigino  wrote:
> Hello all,
> I'm a newbie. I'm making test for learn w3af.
> I want to create a form in a website with a field for send an url.
> My goal is to perform a w3af scan against the url received from the form.
> I can't found any resources about it.
> Can someone give a little help?
> Thank you in advanced.
>
>
> --
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] using spider_man with W3AF and Docker

[Andres Riancho]

Vojta,

Please read answers inline:

On Wed, Dec 9, 2015 at 12:46 PM, Vojtěch Polášek  wrote:
> Greetings,
> I need to use spider_man plugin for my testing. I am running W3AF within
> Docker on Windows server 2012.

Awesome!

> I run something like
> docker run -p 4:4: ... andresriancho/w3af

That sounds like the right way to run the program to get the port
to be exposed.

> But I can't get the proxy to work properly. I tried every possible
> combination. In W3AF's config, I used container localhost and container
> IP address. In my browser, I used host's localhost and also IP address
> of the docker machine. Nothing works. Does the port need to be exposed
> in the docker file to get this working?

I never tried it myself, but once you start the scan, and if
-p4:4 is used, you should be able to connect from your windows
host to 127.0.0.1:4

> Could you please help me? I can not continue without using spider_man.
> Thanks,
> Vojta
>
> --
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] run profile without target

[Andres Riancho]

Vojtěch,

Questions are welcome :)

I assume you wanted to say JavaScript instead of Java, if JS is
heavily used, then yes the web_spider is "almost useless".

Well, the scan of the target URL can't be prevented, but if you
set the URL to http://target.com/ and disable web_spider, then w3af
won't have any parameters to find vulnerabilities in and the target is
"ignored" (most likely, haven't tested it).

Regards,

On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek  wrote:
> Greetings,
> my name is Vojtěch Polášek and I am a blind IT student from Czech Republic.
> As a part of my bachelor thesis, I am researching some tools for
> security analysis of web applications. One of those tools is W3AF, so
> expect some questions in near time :-)
> I need to perform analysis of Java application, where web_spider is
> useless. Therefore I use spider_man plugin. My question is; would it be
> possible to prevent initial scan of the URL set as target?
> Because it does not make much sense, as all needed input is facilitated
> through spider_man.
> Thank you for your response and best regards,
> Vojtěch Polášek
>
> --
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3AF Docker and Windows

[Andres Riancho]

Vojtěch,

On Thu, Nov 12, 2015 at 8:47 AM, Vojtěch Polášek <krec...@gmail.com> wrote:
> Greetings,
> still no luck. Is it important to mount w3af and w3af-shared volmues to
> be able to at least log in?

The volumes [0] AFAIK are not required. If you don't set them w3af
will create the /root/.w3af inside the docker file system.

[0] 
https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/common/docker_helpers.py#L10-L11

> It would be greate if someone, who is more experienced with docker,
> could try this. I am running following commands in Powershell:
> docker-machine start mytest
> docker-machine env --shell=powershell mytest | Invoke-expression
> docker run -d andresriancho/w3af
> docker ps works correctly and displays running sshd daemon on port 22

Looks good.

> docker logs  does not show anything
> docker top ,container_id> shows only sshd running

Ok

> When I try to run command posted in the previous mail, still receiving
> password prompt and w3af as a password does not work.
> Any ideas?

Yes, I already asked: Are you sure your SSH client expects the private
key to be set using -i ?

> Thank you very much,
> Vojta
>
> Dne 2.11.2015 v 21:34 Andres Riancho napsal(a):
>> I've never done that in Windows, but it should work. You should try to
>> follow the same steps which are outlined for Linux here [0]. I suspect
>> you already did most of those since you found the ssh private key.
>> It's strange that the docker image is asking you for a password if
>> you're providing a SSH key; maybe -i is not the right flag in your ssh
>> client?
>>
>> [0] 
>> https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker
>>
>> On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <krec...@gmail.com> wrote:
>>> Hi,
>>> does anyone here have experience running W3AF within Docker on Windows.
>>> I installed docker, downloaded W3AF and ran it, but I had a problem
>>> while connecting through ssh. Within w3af/extras/docker/scripts/common I
>>> ran:
>>> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no r...@xxx.xxx.xxx.xxx
>>> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
>>> I connected to the server and tried password w3af, but no success.
>>> Has anything changed?
>>> Thanks,
>>> Vojta
>>>
>>>
>>> --
>>> ___
>>> W3af-users mailing list
>>> W3af-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>
>
> --
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af plugin timeout

[Andres Riancho]

Moises,

On Mon, Oct 26, 2015 at 7:46 AM, Moises Solorzano  wrote:
> Hello
>
> I have a question about the timeout of any individual plugin or in general
> on the command line.
>
> I can see that there is a timeout for the crawling (misc settings max
> discovery time), but i would like to know if w3af provides a timeout for
> specifically a plugins (audit xss for example) or for all the plugins in
> general or for a category.

The max discovery time affects all crawl/infrastructure plugins

As far as I can remember there is no way to limit the time audit
plugins take. The indirect way to do that is to lower the discovery
time; which means that there will be less URL+parameters to test,
which will take less time.

> Thank you in advance
>
> Best Regards
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] running W3AF on Windows

[Andres Riancho]

I haven't run any recent (~5 years) version of w3af in windows. Some
dependencies (the ones you mention and others) are linux/mac only. I
recommend you try boot to docker and the w3af docker image.

On Wed, Oct 21, 2015 at 12:57 PM, Vojtěch Polášek  wrote:
> Greetings,
> I am trying to get W3AF running on Windows Server 2012 64 bit. I can't
> even compile dependencies, for example pybloomfiltermmap and esmre...
> So my question is: Does anyone run W3AF on Windows? Any tips?
> Thanks,
> Vojta
>
> --
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Several w3af questions and issues

[Andres Riancho]

Ziadmo1,

On Tue, Sep 29, 2015 at 12:35 PM, ziadmo1 . <zia...@gmail.com> wrote:
> Point 1)
> I will try to take a video later this week, but to reproduce the issue:
> a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new
> profile"
> b) Save new profile as Custom / Custom
> c) Dis select the Infrastructure plugin, and right click on the Custom
> profile, then "Save configuration to profile"
> d) Select any other profile on the list
> e) Come back to the Custom profile, the plugin Infrastructure is still
> selected as if it was never unchecked.

I run a-d, but then I see the expected result: the infrastructure
plugin family is disabled. This is my w3af version information:

  Python version: 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2]
  GTK version: 2.24.23
  PyGTK version: 2.24.0
  w3af version:
w3af - Web Application Attack and Audit Framework
Version: 1.7.6
Revision: d7cb405316 - 09 oct 2015 21:26
    Branch: master
Local changes: No
Author: Andres Riancho and the w3af team.

What's yours?

> Point 3) I really wish I can contribute, but I am not a programmer :P If I
> can help with other things such as testing, I would be more than happy to do
> so.
>
> Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
> will prevent losing results of a 1-4 hours scan.

Like I said in the previous email, this is already done in the latest w3af.

> Point 5) This is an issue as I scanned a site, w3af happily took all of the
> memory available, and if I provide it with more memory, it just keep taking
> it. At some point it used 8GB of memory and w3af crashed as there was no
> more memory to consume... Ideally, w3af should be given a specified amount
> of memory, or have some configuration options to restrict the amount of
> memory it can use.

I haven't seen any tools that work like that. The fix would be to
identify the memory leak and refactor the code so that it doesn't
consume all your memory.

> Thanks for all the efforts on this project, I find w3af a great tool for the
> Security community.
>
>
>
> On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>>
>> Ziadmo,
>>
>> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . <zia...@gmail.com> wrote:
>> > Point 1)
>> > Not sure if its a bug or not.. When I create a custom profile (based on
>> > OWASP top 10 for example), the changes don't take effect on the newly
>> > saved
>> > custom profile. For example, if I disable "infrastructure", and I click
>> > "save configuration to profile", then I select any other profile, when I
>> > get
>> > back to the "custom" profile I just created, I still see
>> > "infrastructure" as
>> > part of that profile.
>>
>> Failed to reproduce this issue on my workstation. Using the same
>> version you're. Could you send us a detailed step by step or video to
>> better understand the problem?
>>
>>
>> > Point 2)
>> > Which plugin or option is this output generated from?
>> >
>> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
>> > form: (category, subcategory, postal_code, distance, validated,
>> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>>
>> That's generated by audit plugins. They receive a fuzzable request
>> (similar to what a browser/regular user would send) and create mutants
>> (modified, ugly versions of the original request).
>>
>> >
>> > Point 3)
>> > When I Stop the scan through w3af_gui, in the console output the core is
>> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
>> > lose all the output that I had generated so far (results, etc).
>>
>> Yep, known bug which sucks. You either wait for stop to work or
>> contribute to the project to fix the issue :)
>>
>> >
>> > Point 4)
>> > When the scan is running, I did not see the HTML output file generated
>> > under
>> > ~/ which where it usually saves it. Does it wait until the scan is
>> > completely done to save contents to it?
>>
>> Before you had to wait. In the last month I modified output plugins to
>> write stuff to disk every N seconds (not sure what N is).
>>
>> That change might be only in develop branch.
>>
>> > This is why when I do Ctrl-C on step
>> > 4 I lose all output, since there is nothing saved on the file. I would
>> > suggest creating the file as soon as the scan starts and fill it up as
>> &g

Re: [W3af-users] Several w3af questions and issues

[Andres Riancho]

Ziadmo,

On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 .  wrote:
> Point 1)
> Not sure if its a bug or not.. When I create a custom profile (based on
> OWASP top 10 for example), the changes don't take effect on the newly saved
> custom profile. For example, if I disable "infrastructure", and I click
> "save configuration to profile", then I select any other profile, when I get
> back to the "custom" profile I just created, I still see "infrastructure" as
> part of that profile.

Failed to reproduce this issue on my workstation. Using the same
version you're. Could you send us a detailed step by step or video to
better understand the problem?


> Point 2)
> Which plugin or option is this output generated from?
>
> Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
> form: (category, subcategory, postal_code, distance, validated,
> form_build_id, form_id, op)" (post data: 24, query string: 3)

That's generated by audit plugins. They receive a fuzzable request
(similar to what a browser/regular user would send) and create mutants
(modified, ugly versions of the original request).

>
> Point 3)
> When I Stop the scan through w3af_gui, in the console output the core is
> still running, and therefore I am forced to hit Ctrl-C.. At that point I
> lose all the output that I had generated so far (results, etc).

Yep, known bug which sucks. You either wait for stop to work or
contribute to the project to fix the issue :)

>
> Point 4)
> When the scan is running, I did not see the HTML output file generated under
> ~/ which where it usually saves it. Does it wait until the scan is
> completely done to save contents to it?

Before you had to wait. In the last month I modified output plugins to
write stuff to disk every N seconds (not sure what N is).

That change might be only in develop branch.

> This is why when I do Ctrl-C on step
> 4 I lose all output, since there is nothing saved on the file. I would
> suggest creating the file as soon as the scan starts and fill it up as the
> scan goes so output is not lost if for whatever reason the scan takes too
> long or if w3af freezes for example.
>
>
> Point 5)
> Is there a way to specify how much system memory w3af_gui can use?

No

> Under
> http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>
> it mentions the cache size of "10", but what does 10 refers to in terms of
> memory?

There is no way to know. This is the result of parsing an HTML page.
HTML pages can be huge in KB, but have only 2 links and 1 form, or be
really compact and with thousands of links

>
>
> I am using Version 1.7.6 through Kali Linux 2.0.
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] New feature: Self contained profiles

[Andres Riancho]

List,

I've been working on a new feature during the last hours: Self
contained profiles. The basic idea is that you're now able to save the
profile (with all the referenced files) in one file. This is useful
for sharing your complex configurations with others as well as running
scans using the REST API.

More information about the new feature at [0]

If you're interested to test this feature please use the develop branch:

git clone g...@github.com:andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

Please report any bugs and issues at [1]

[0] http://docs.w3af.org/en/develop/basic-ui.html#saving-the-configuration
[1] https://github.com/andresriancho/w3af/issues/new

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Twitter: @w3af

[Andres Riancho]

List,

Just noticed that less than half the features I work on get
announced on the mailing list, but I tweet about almost all of them.
If you want to get the whole w3af news feed please follow me on
twitter!

@w3af
https://twitter.com/w3af

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] w3af - Opportunity to contribute

[Andres Riancho]

Here are two easy tickets you can solve, it's your opportunity to
contribute with w3af!
https://github.com/andresriancho/w3af/issues/10980
https://github.com/andresriancho/w3af/issues/9011
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] w3af REST API: Done!

[Andres Riancho]

List,

Yesterday I completed the development of the REST API for w3af :)
The documentation can be found here [0] and the code is ready to use
in the develop branch:

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop

Before merging it to the master branch I would love to hear your
opinions, bug reports, etc. Thanks!

[0] http://docs.w3af.org/en/develop/api/index.html

PS: Adding to CC some people which were interested in this feature

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical  virtual servers, alerts via email  sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Didn't get it right letting W3AF ignore some URLs by confuring ignore_regex

[Andres Riancho]

Christian,

On Mon, Jun 1, 2015 at 6:33 AM,  spass-bill...@gmx.de wrote:
 Hello,

 I didn't get it right to ignore some URLs during evaluation of a target 
 webapp.
 Let's say the target URL should be

 http://test.host/foo/bar/index.html

 On this entry site there are two links (among others) which should NOT be 
 considered for further investigation by W3AF:

 http://test.host/foo/search/
 http://test.host/print.html

 I didn't get it right yet trying for instance:

 set ignore_regex .*(search|print\.html)$

 or (to get rid of at least the first link)

 set ignore_regex .*search.*

 or even (trying to match the second URL to ignore)

 set ignore_regex .*print\.html$

 But W3AF always comes up with timeouts regarding both of the two URLs (the 
 target webapp is running in a special test environment where the mentioned 
 links are not backed by a responding application); it also lists the links in 
 the report's section URLs found during application scan.

 What am I doing wrong here? I've tested the regular expressions for 
 compatibility issues regarding PERL's syntax etc. here:

 http://www.pythonregex.com/

 Thank you for any kind of help.

The regular expressions look good. Some ideas about what might be going on:

 * These regular expressions only apply to the web spider [0]. If you
have other plugins enabled and those plugins find the URLs then they
will be crawled. If I don't remember incorrectly there is a
framework-wide setting called non-target to avoid visiting a URL with
ANY plugin

 * You might add some print statements around these lines [1] to
understand what's going on

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py#L283-L287

Regards,

 Christian



 --
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Impressive memory usage improvements

[Andres Riancho]

List,

Just wanted to let you guys know that after a long fight with lxml
I've been able to improve w3af's memory usage in an almost incredible
way. As seen here [0]

Performance profiling of new develop branch (ab428c5):
 * PSUtils measurement 25 (after 45 minutes of scan): 118.9 MB RSS
 * Requests sent: 23955

Performance profiling of new develop branch (e32e529):
 * PSUtils measurement 24 (after 45 minutes of scan): 1.2 GB RSS
 * Requests sent: 23137

1.2GB vs. 119 MB. Not bad!

If you've got some spare minutes give the latest w3af (from the
develop branch) a try!

[0] https://github.com/andresriancho/w3af/issues/9990

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3af - CMS scanning

[Andres Riancho]

On Thu, May 14, 2015 at 11:28 AM, Shafeeque O.K [gmail]
shafoff...@gmail.com wrote:
 Hello,

 Is it possible for w3af to  find web application vulnerabilities of CMS like
 Joomla, Word Press?

Yes

 If so what are the plugin need to enabled.

All audit plugins

 Alos let me know

 Is there a way to get the scanning staus of W3af, and HTTP requests send by
 w3af, so that it can be displayed to end user in real time.

Yes, from the command line you can press enter and stats should be shown

 We are trying to package w3af in our custom application.

Then you'll have to read the code my friend.

 Kindly clarify


 Regards,
 Shafeeque Olassery Kunnikkal C|EH,E|CSA,C|HFI,C|EI,MCP


 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] 1.6.45 released!

[Andres Riancho]

List,

Just released 1.6.45 [0] which includes a ton of improvements:

 * HTTP response parsers are now run in a different process
 * Added support for SSL's SNI using OpenSSL
 * Added support for scanning servers with specific SSL protocols
disabled (poodle)
 * Added new platforms to the dependency check
 * Run w3af inside docker
 * Updated sqlmap
 * Performance improvements in core classes
 * Improved profiling capabilities (internal use only)
 * Improved exception handling to catch more descriptive tracebacks
 * Added new plugins for web sockets and RFD
 * Better error handling for HTTP requests
 * Huge reducion of memory usage in phishtank plugin
 * 100 bugs fixed

You can get this by doing:

cd w3af/
git pull
./w3af_console

Most likely you'll have to update some pip and OS packages, after
that you're good to go. Let me know how it goes and as usual report
all the bugs here [1]

[0] https://github.com/andresriancho/w3af/releases/tag/1.6.45
[1] https://github.com/andresriancho/w3af/issues/new

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Blocked scan error database

[Andres Riancho]

Miguel,

Please read inline,

On Thu, Feb 19, 2015 at 5:49 AM, Miguel Ángel Martínez Martínez
miguelang031...@hotmail.com wrote:
 Hallo!,

 I am a beginner user regarding W3af. I am scanning several external web
 pages with the following configuration:

 profile: full_audit / OWASP_TOP10
 max_requests_per_second: 2

That's REALLY LOW, 2 requests per second is going to slow down the
scan horribly.

 1. The scan of a specific web page takes a lot to finish and in the end,
 this error happens:

 Database disk image is malformed

Are you able to reproduce this every time you run the scan? If so,
please follow this [0] guide to report a bug with all the info we'll
need to fix it

[0] http://docs.w3af.org/en/latest/report-a-bug.html

 As a result, the html report has no content.

 2. The scan of another web page finishes very quickly (it takes less than a
 minute), but I am afraid that it's being blocked.

 **IMPORTANT** The following error was detected by w3af and couldn't be
 resolved: w3af found too many consecutive errors while performing HTTP
 requests. In most cases this means that the remote web server is not
 reachable anymore, the network is down, or a WAF is blocking our tests. The
 last error message was HTTP timeout error after 10.0 seconds.

 How can I try to evade the system that is blocking the test?

If it finishes so quickly the remote system might be blocking
connections based on the user agent, you can try to change that in
w3af's configuration.

 Thanks  regards.

 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE
 http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3af - Not working in Kali 1.1.0

[Andres Riancho]

Shafeeque,

On Tue, Feb 17, 2015 at 5:55 AM, Shafeeque O.K [gmail]
shafoff...@gmail.com wrote:
 Hi

 Require an immediate support.

Hahaha, this is not a product for which you get a support 1-800
number, anyways, some comments below.

 Unable to install w3af in kali - 1.1.0

 Error:
 Your python installation needs the following modules to run w3af:
 git.util scapy.config

 After installing any missing operating system packages, use pip to install
 the remaining modules:
 sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev
 A script with these commands has been created for you at
 /tmp/w3af_dependency_install.sh

 My system configurations are given below.

 lsb_release -a
 No LSB modules are available.
 Distributor ID: Kali
 Description: Kali GNU/Linux 1.1.0
 Release: 1.1.0

 codename : moto

 pip freeze | grep futures

 futures==2.1.5

 pip freeze | grep git
 gitdb==0.6.4

 python --version
 Python 2.7.3

 content of /tmp/w3af_dependency_install.sh

 #!/bin/bash
 sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev

 Please support.

You never tell which version of w3af you're trying to install. Here
are some options:

 * apt-get install w3af , that command will install w3af in Kali for
you. It's not the latest and greatest but it should work well for most
cases.
 * Download the latest from our repository. You can use the master or
develop branch, the commands here [0] might help you install the
develop branch.

[0] http://w3af.org/testing-before-mondays-release

Regards,


 Regards,
 Shafeeque Olassery Kunnikkal C|EH,C|EI
 Graytips Cyber Technologies | www.graytips.com





 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE
 http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] unexpected keyword

[Andres Riancho]

Hussam,

Which w3af version are you using? Could you please run these
commands and send us the output?

./w3af_console --version

git rev-parse HEAD

On Sun, Feb 8, 2015 at 9:17 AM, Hussam Alamza eng.hussam...@gmail.com wrote:
 Hello people,
 after the succession in fulfilling all w3af desires of python
 packages, now I am getting the following error when running
 w3af_console (in centos 6.6):

 Error while reading plugin options:
 Failed to get an instance of phpinfo. Original exception:
 __init__() got an unexpected keyword argument 'table_prefix'.
  Traceback for this error: Traceback (most recent call last):
   File /root/w3af/w3af/core/controllers/misc/factory.py, line 62, in factory
 inst = a_class(*args)
   File /root/w3af/w3af/plugins/crawl/phpinfo.py, line 54, in __init__
 self._analyzed_dirs = DiskSet(table_prefix='phpinfo')
 TypeError: __init__() got an unexpected keyword argument 'table_prefix'
 

 so any help with this would be appreciable.
 Thank you in advance

 --
 Dive into the World of Parallel Programming. The Go Parallel Website,
 sponsored by Intel and developed in partnership with Slashdot Media, is your
 hub for all things parallel software development, from weekly thought
 leadership blogs to news, videos, case studies, tutorials and more. Take a
 look and join the conversation now. http://goparallel.sourceforge.net/
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Pre-merge action: Ask users to test develop branch

[Andres Riancho]

List,

I'm near a rather big merge from the develop branch into master,
that means that in a while most of you will get a message asking if
you want to update your w3af installs or not.

This is great!, but before doing it I want a few of you to test
the develop branch and report any issues you find. More information
about testing can be found here [0], but the main steps are:

cd ~
apt-get install -y python-pip # This step might change in your OS
pip install --upgrade pip
pip install virtualenv
mkdir w3af-release
cd w3af-release
virtualenv --system-site-packages venv
. venv/bin/activate
git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_gui
. /tmp/w3af_dependency_install.sh

After that, please run a scan :) Any bugs in the installation,
scan, etc. should go here [1].

Thanks!

[0] http://w3af.org/testing-before-mondays-release
[1] https://github.com/andresriancho/w3af/issues/new

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af and multiprocessing

[Andres Riancho]

Sergey,

On Mon, Jan 19, 2015 at 8:12 AM, Sergey w...@kovalev.com.ru wrote:
 Hi, everyone.

 I'm trying to execute w3af scans of multiple domains in parallel with
 multiprocessing package http://pastebin.com/ha2K4NCP

 This script fails with AssertionError: No calls to SQLiteDBMS can be
 made after stop().
 http://pastebin.com/G7vS63TG

There are parts of w3af which are run at module import (things such as
the default database singleton), so you might want to move the line
from w3af.core.controllers.w3afCore import w3afCore inside the
multiprocessing target function

 If I switch to multiprocessing.dummy (threads), script seems to work.

Yes, that's because that uses threads, which share the same singleton

 But I want to execute scans in isolation, that's why I'm trying to use
 processes not threads.

 Is there some issue which prevents such usage of w3af library?

 And btw why does w3af forbid scanning of multiple domains? You
 specified more than one target domain: ... And w3af can only scan one
 target domain at a time.

Yes, this is an architectural decision. If you want to discuss this in
depth, have good reasons and want to spend time with a pull-request, I
might be open to accepting/merging it.

 --
 New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
 GigeNET is offering a free month of service with a new server in Ashburn.
 Choose from 2 high performing configs, both with 100TB of bandwidth.
 Higher redundancy.Lower latency.Increased capacity.Completely compliant.
 http://p.sf.net/sfu/gigenet
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] stopit and long running scans

[Andres Riancho]

List,

In some specific cases w3af hangs and the scan never finishes, one
of those cases was reported here [0] and today I was able to
(hopefully) fix it. It seems that the issue was the PDF parser we are
using, which has an endless loop.

We could try to fix the third party library, but in the future
they (or other third party lib) or even w3af's code might introduce
another of those ugly bugs, so I decided to add some timeouts here [1]
and there [2] to limit the amount of time that plugins and parsers can
run. The time limitation is rather high, so it should only be
triggered when something is really wrong.

If you've got some minutes during the holidays and want to
contribute with some testing please

cd w3af
git pull
git checkout feature/stopit
./w3af_console
# update pip
# install new dependency
./w3af_console

Run a couple of scans and let me know if something is really
wrong. Thanks and happy 2015!

[0] https://github.com/andresriancho/w3af/issues/6723
[1] 
https://github.com/andresriancho/w3af/commit/735a3ed29378c430900254d66ca3f59ad366502f
[2] 
https://github.com/andresriancho/w3af/commit/c5be6aac0657fe4c77e2e80cf726d58b2ccaa9d7

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3af in the Background

[Andres Riancho]

Aman,

On Wed, Oct 29, 2014 at 4:10 PM, Aman Thakur aman.thakur.1...@gmail.com wrote:
 Hi Guys,
 Good Day!!

 I am trying to automate the w3af scanning process in my LAN. But i am having
 hard time with it.

 What i have done till now is that. I have made a small http server in
 python. In which, i am passing the domain name of my own website.
 eg: $ 192.168.1.100:8080/?website=www.mywebsite.com

 When i run the http server by sshing to the server and running it in
 background using the ampersand(). So, if my ssh session is on and i send a
 request to scan from my other machine on the LAN, then it starts the scan
 and shows it in my ssh session screen.
 $ runserver 

 But if i end my session, after running the server in the background with the
 following commands:
 $ runserver
 $ exit

 Then, it creates the process but it never finishes the process or scan. I
 can see the w3af_console process in the result of $ ps aux command but it
 never finishes it.

 Can anyone suggest me something about it? Can we do a scan by invoking the
 w3af_console in the background? Is running the w3af in background possible
 on a machine?

I believe this issue is not related to w3af, but maybe some links might help:

 * http://www.celeryproject.org/
 * https://docs.python.org/2/library/subprocess.html

In case this is related to w3af, the way to discover that is to enable
text_file output and debug the output.

 Thanks

 With Regards
 Aman Thakur

 --

 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] SSL3 handshake used when TLS1 protocol specified?

[Andres Riancho]

List,

I'm trying to fix w3af [0] in order to be able to scan sites which
have disabled SSLv3 because of the POODLE vulnerability, and I'm
seeing some strange behaviour in the logs. The problem is that even
when I tell python to use TLS (version 3 in ssl.py) it seems to use
SSLv3 (don't confuse the previous three with this one):

SSL connection error occurred with protocol 1: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 3: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 2: '[Errno 1] _ssl.c:510:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure'

In the first line w3af tries to connect to the host using protocol
1 and fails, because it's disabled server-side. The second line shows
how w3af tries to start a connection with TLSv1 (protocol 3) but then
it says SSL3_READ_BYTES:sslv3... why is this? What am I doing wrong?

You can see the patch here [1]

[0] https://github.com/andresriancho/w3af/issues/5802
[1] 
https://github.com/andresriancho/w3af/commit/4d3da21fb4f779891b0931826f65431f8e3e0a51#diff-fb2412155fd3f437748e8b4bd0282e68R893

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Shell shock exploit

[Andres Riancho]

List,

Just finished my shell shock exploit [0], feel free to improve it
and send me pull requests.

[0] https://gist.github.com/andresriancho/1a259f01312c0c5ddd1e

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Shell shock plugin for w3af: Done!

[Andres Riancho]

List,

Take a look at the w3af plugin I've just finished coding [0], it
detects shell shock vulnerabilities by using time delays. Pull
requests with improvements are welcome :)

[0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Shell shock plugin for w3af: Done!

[Andres Riancho]

Check the github repository issues, mailing list, etc. This issue (for
mac?) has workarounds documented somewhere

On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com wrote:
 i keep trying to run the git version of w3af and it says that phply is
 missing, yet I have it:



 /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info
 /usr/local/lib/python2.7/dist-packages/phply.egg-link
 /usr/local/lib/python2.7/dist-packages/phply/phpast.py
 /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc
 /usr/local/lib/python2.7/dist-packages/phply/phplex.py
 /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc
 /usr/local/lib/python2.7/dist-packages/phply/phpparse.py
 /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc
 /usr/local/lib/python2.7/dist-packages/phply/pythonast.py
 /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt
 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt


 On 09/25/2014 03:22 PM, Andres Riancho wrote:
 List,

 Take a look at the w3af plugin I've just finished coding [0], it
 detects shell shock vulnerabilities by using time delays. Pull
 requests with improvements are welcome :)

 [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94

 Regards,


 --
 Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
 Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
 Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
 Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
 http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Shell shock plugin for w3af: Done!

[Andres Riancho]

Ali,

You can use curl -Htest: ... http://foo.com/ to verify

Replace ... with the bash exploit

On Thu, Sep 25, 2014 at 2:11 PM, Ali Khalfan ali.khal...@gmail.com wrote:
 Andres,
 Is there a way I could manually verify a url? (as in using Nmap or wget and
 checking the response)

 I did it twice on a url and once it says it was vulnerable and the other
 says it wasn't

 On ٢٥ سبتمبر، ٢٠١٤ ٧:١٨:٣٦ م GMT+03:00, Andres Riancho
 andres.rian...@gmail.com wrote:

 Check the github repository issues, mailing list, etc. This issue (for
 mac?) has workarounds documented somewhere

 On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com
 wrote:

  i keep trying to run the git version of w3af and it says that phply is
  missing, yet I have it:



  /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info
  /usr/local/lib/python2.7/dist-packages/phply.egg-link
  /usr/local/lib/python2.7/dist-packages/phply/phpast.py
  /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc
  /usr/local/lib/python2.7/dist-packages/phply/phplex.py
  /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc

 /usr/local/lib/python2.7/dist-packages/phply/phpparse.py
  /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc
  /usr/local/lib/python2.7/dist-packages/phply/pythonast.py
  /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt

 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt

 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt

 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt

 /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt


  On
 09/25/2014 03:22 PM, Andres Riancho wrote:

  List,

  Take a look at the w3af plugin I've just finished coding [0], it
  detects shell shock vulnerabilities by using time delays. Pull
  requests with improvements are welcome :)

  [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94

  Regards,



 

  Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
  Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
  Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
  Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer

 http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
 

  W3af-users mailing list
  W3af-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/w3af-users




 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] authentication not being performed

[Andres Riancho]

Don't have the time to reproduce now, but I believe that you might be
hitting this bug:
https://github.com/andresriancho/w3af/issues/4391

Could you talk with foobarmonk to try to solve this?

On Tue, Sep 23, 2014 at 7:42 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 Hi Andres,

 I've tried performing an authenticated web scan, but i noticed that the URLs
 are being crawled.

 I ran tcpdump to check, and discovered that the authentication is not taking
 place at all.



 This is my w3af script with the authentication test:


 #
 ---
 #  W3AF AUDIT SCRIPT FOR WEB
 APPLICATION
 #
 ---
 #Configure HTTP settings
 http-settings
 set timeout 30
 back
 #Configure scanner global behaviors
 misc-settings
 set max_discovery_time 20
 set fuzz_cookies True
 set fuzz_form_files True
 set fuzz_url_parts True
 set fuzz_url_filenames True
 back
 plugins
 #Configure entry point (CRAWLING) scanner
 crawl web_spider
 crawl config web_spider
 set only_forward True
 set ignore_regex (?i)(logout|disconnect|signout|exit)+
 back
 #Configure vulnerability scanners
 ##Specify list of AUDIT plugins type to use
 #audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload,
 ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli,
 xpath, xss, xst
 audit blind_sqli, cors_origin, csrf, eval, ldapi, lfi, response_splitting,
 sqli, xpath, xss, xst
 ##Customize behavior of each audit plugin when needed
 audit config file_upload
 #set extensions
 jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
 set extensions jsp,php,php2,php3,php4,php5
 back
 ##Specify list of GREP plugins type to use (grep plugin is a type of plugin
 that can find also vulnerabilities or informations disclosure)
 grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp,
 directory_indexing, dom_xss, error_500, error_pages,
 html_comments, objects, path_disclosure, private_ip, strange_headers,
 strange_http_codes, strange_parameters, strange_reason, url_session,
 xss_protection_header
 ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin
 is a type of plugin that can find informations disclosure)
 infrastructure server_header, server_status, domain_dot, dot_net_errors
 #Configure target authentication
 auth detailed
 auth config detailed
 set username super
 set password super
 set method POST
 set auth_url http://xyz.com/test-panel/index.php
 set username_field user_id
 set password_field pwd
 set check_url http://xyz.com/test-panel/home.php
 set check_string 'Logout'
 set data_format username=%Upassword=%PLogin=Login
 back
 #Configure reporting in order to generate an HTML report
 output console, html_file
 output config html_file
 set output_file /tmp/W3afReport.html
 set verbose True
 back
 output config console
 set verbose False
 back
 back
 #Set target informations, do a cleanup and run the scan
 target
 set target http://xyz.com/test-panel/index.php
 set target_os windows
 set target_framework php
 back
 cleanup
 start

 --
 Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
 Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
 Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
 Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
 http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Force web_spider to crawl a directory only

[Andres Riancho]

Thanks for asking, I've added a new section to the docs to address this:
http://docs.w3af.org/en/develop/common-use-cases.html

Please let me know if the docs are clear.

On Sun, Sep 7, 2014 at 4:44 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 Is there a way I can force the Web_spider plug-in to only check a specific
 directory and not leave it. Example: if I want to scan www.domain.com/dir1 I
 do not want leave the dir1 directory


 Ali
 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
 --
 Slashdot TV.
 Video for Nerds.  Stuff that matters.
 http://tv.slashdot.org/
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Changes!

[Andres Riancho]

There's no Kali package for these latest changes yet, but it should
work well if you install from source [0]

[0] http://docs.w3af.org/en/latest/install.html#id1

On Fri, Sep 5, 2014 at 9:36 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 kali?



 On 09/05/2014 03:14 PM, Andres Riancho wrote:
 List,

 Just pushed a lot of changes to w3af's master branch.

  If you run ./w3af_console --force-update or git pull you'll
 get the latest and greatest from the repository.

 The code I've been working on is mostly bug fixes for the 1.6.1
 milestone [0], which has now 23 open issues and last week had 75, and
 also worked on a new feature which allows users to limit the number of
 HTTP requests per second to be sent to the server.

 Give it a try, test it, read the code changes, and if possible
 send me some feedback. Thanks!

 [0] 
 https://github.com/andresriancho/w3af/issues?q=is%3Aopen+is%3Aissue+milestone%3A%221.6.1+-+Bug+fixing+after+1.6%22

 Regards,


 --
 Slashdot TV.
 Video for Nerds.  Stuff that matters.
 http://tv.slashdot.org/
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Changes!

[Andres Riancho]

Hah, yes, but that also requires effort to setup, and also is really
platform specific.

More than happy if you want to finish the work I started in the
w3af-kali [0] repository. The next step would be to completely
automate the steps explained in the README.md file, potentially using
the docker in docker support provided by CircleCI which allows us to
run a Kali VM to create and test the .deb package.

[0] https://github.com/andresriancho/w3af-kali

On Fri, Sep 5, 2014 at 5:57 PM, Andrew King aking1012@gmail.com wrote:
 That's what source tracked auto-builds in PPAs are for...


 On Fri, Sep 5, 2014 at 8:43 AM, Andres Riancho andres.rian...@gmail.com
 wrote:

 There's no Kali package for these latest changes yet, but it should
 work well if you install from source [0]

 [0] http://docs.w3af.org/en/latest/install.html#id1

 On Fri, Sep 5, 2014 at 9:36 AM, Ali Khalfan ali.khal...@gmail.com wrote:
  kali?
 
 
 
  On 09/05/2014 03:14 PM, Andres Riancho wrote:
  List,
 
  Just pushed a lot of changes to w3af's master branch.
 
   If you run ./w3af_console --force-update or git pull you'll
  get the latest and greatest from the repository.
 
  The code I've been working on is mostly bug fixes for the 1.6.1
  milestone [0], which has now 23 open issues and last week had 75, and
  also worked on a new feature which allows users to limit the number of
  HTTP requests per second to be sent to the server.
 
  Give it a try, test it, read the code changes, and if possible
  send me some feedback. Thanks!
 
  [0]
  https://github.com/andresriancho/w3af/issues?q=is%3Aopen+is%3Aissue+milestone%3A%221.6.1+-+Bug+fixing+after+1.6%22
 
  Regards,
 
 
 
  --
  Slashdot TV.
  Video for Nerds.  Stuff that matters.
  http://tv.slashdot.org/
  ___
  W3af-users mailing list
  W3af-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/w3af-users



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3


 --
 Slashdot TV.
 Video for Nerds.  Stuff that matters.
 http://tv.slashdot.org/
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] An uncaught exception was raised _setFrameworkScaleFactor

[Andres Riancho]

List,

Anyone else seeing this [0] An uncaught exception was raised
_setFrameworkScaleFactor error in Mac OS? Please comment on the github
issue

[0] https://github.com/andresriancho/w3af/issues/3953

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] I saw on the project page thoughts about moving to docker for deployment

[Andres Riancho]

Andrew,

Please read inline,

On Mon, Aug 18, 2014 at 9:41 PM, Andrew King aking1012@gmail.com wrote:
 Is everyone set on docker or is pure LXC okay too?

 Docker seems neat, but it's changing pretty rapidly.  LXC has been around
 for a while now, and it seems a little more stable for the time being.

 Both are options, but I was just wondering about the whys on the decision.

First of all, it's important to note that w3af won't be
exclusively deployed/released via docker, users will still be able to
download and install it in their operating systems.

Now that's clear, lets analyze why docker :) First of all, docker
is easy to use by defining a Dockerfile [0] and it provides a public
registry [1] where we can automatically build docker images on each
push to our repository. Also, docker has received a lot of attention
lately and some users do already know how to use it, etc. this is
different from lxc which is great but not as popular.

There is also a pull request for w3af / vagrant, which will be
merged after I test it. This means that I'm not picking one solution
and sticking with it, we're mostly experimenting with the most popular
ones and maybe in a year decide which one is the best for w3af.

If you would like to help with the docker and/or vagrant stuff,
we're more than glad to see pull-requests :)

[0] https://github.com/andresriancho/w3af/blob/develop/extras/Dockerfile
[1] https://registry.hub.docker.com/u/andresriancho/w3af/

 --

 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] I saw on the project page thoughts about moving to docker for deployment

[Andres Riancho]

PS: The TODO for the docker image can be found here [0]

[0] https://registry.hub.docker.com/u/andresriancho/w3af/

On Tue, Aug 19, 2014 at 8:51 AM, Andres Riancho
andres.rian...@gmail.com wrote:
 Andrew,

 Please read inline,

 On Mon, Aug 18, 2014 at 9:41 PM, Andrew King aking1012@gmail.com wrote:
 Is everyone set on docker or is pure LXC okay too?

 Docker seems neat, but it's changing pretty rapidly.  LXC has been around
 for a while now, and it seems a little more stable for the time being.

 Both are options, but I was just wondering about the whys on the decision.

 First of all, it's important to note that w3af won't be
 exclusively deployed/released via docker, users will still be able to
 download and install it in their operating systems.

 Now that's clear, lets analyze why docker :) First of all, docker
 is easy to use by defining a Dockerfile [0] and it provides a public
 registry [1] where we can automatically build docker images on each
 push to our repository. Also, docker has received a lot of attention
 lately and some users do already know how to use it, etc. this is
 different from lxc which is great but not as popular.

 There is also a pull request for w3af / vagrant, which will be
 merged after I test it. This means that I'm not picking one solution
 and sticking with it, we're mostly experimenting with the most popular
 ones and maybe in a year decide which one is the best for w3af.

 If you would like to help with the docker and/or vagrant stuff,
 we're more than glad to see pull-requests :)

 [0] https://github.com/andresriancho/w3af/blob/develop/extras/Dockerfile
 [1] https://registry.hub.docker.com/u/andresriancho/w3af/

 --

 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Session ID cookie

[Andres Riancho]

Daniel,

Just guessing, but I believe that the problem is here:

set data_format
username=adminpassword=passwordcsrfmiddlewaretoken=blahblahblah

Specifically in the csrfmiddlewaretoken value will change each
time w3af is run against your site; BUT will be kept static in the
configuration. The solution would be to set an HTTP headers file with
the same value. Haven't tested it, but it should look like this in
w3af:

http-settings
set headers_file /tmp/django-headers.txt
back

And the file should contain:

Cookie: csrfmiddlewaretoken=blahblahblah

The cookie name might be different (not sure). The blahblahblah
in both places should be replaced by a valid value in Django.

Let me know how that goes, I'm interested in knowing :)

Regards,

On Fri, Jul 18, 2014 at 6:12 PM, Daniel Park sudoco...@ymail.com wrote:
 Oh here is my w3af script for reference:
 dpaste: 19YPJWG






 dpaste: 19YPJWG
 659 bytes, Plain text Soft wrap Raw text Duplicate 1 2 3 4 5 6 7 8 9 10
 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
 View on dpaste.com
 Preview by Yahoo


 Thanks,
 Daniel


 On Friday, July 18, 2014 2:10 PM, Daniel Park sudoco...@ymail.com wrote:


 Hello,

 I'm trying to login into a Django app using w3af_console. I'm able to see a
 sessionid cookie in the console output, but it seems like w3af is not saving
 it to the cookies.txt. So after I'm able to POST and get back a session id
 cookie, I can't seem access any secured URL's and get redirected back to the
 login page.

 How can I configure w3af to save the session cookies?

 Thanks,
 Daniel

 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af not Starting

[Andres Riancho]

What happens if you just run sudo pip install phply==0.9.1 ?

On Tue, Jul 15, 2014 at 5:19 AM, Aman Thakur aman.thakur.1...@gmail.com wrote:
 Hello Everyone,

 I have updated my w3af directory contents using the git pull command. But
 the w3af is not working after the update. I am getting these error as below:

 when is did ./w3af_console to start w3af, i got this message below:

 (Your python installation needs the following modules to run w3af:
 phply


 After installing any missing operating system packages, use pip to install
 the remaining modules:
 sudo pip install phply==0.9.1

 A script with these commands has been created for you at
 /tmp/w3af_dependency_install.sh)

 and when i tried to execute the script it created,
 ./w3af_dependency_install.sh it gave me another error again as below:

 Downloading/unpacking phply==0.9.1
   Running setup.py egg_info for package phply

 Requirement already satisfied (use --upgrade to upgrade): ply in
 /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
 Installing collected packages: phply
   Found existing installation: phply dev
 Can't uninstall 'phply'. No files were found to uninstall.
   Running setup.py install for phply

 Skipping installation of
 /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace package)
 Installing /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
 Successfully installed phply
 Cleaning up...

 any ideas what could be the problem? and how to fix that??

 Thanks

 Regards
 Aman

 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af not Starting

[Andres Riancho]

That's strange, what if you use:

sudo pip install --upgrade phply==0.9.1

Also try reading pip's man, and finding a --force (or similar)

On Tue, Jul 15, 2014 at 9:01 AM, Aman Thakur aman.thakur.1...@gmail.com wrote:
 Hi Andres,

 Thanks for replying.

 i got this:
 ~# sudo pip install phply==0.9.1
 Downloading/unpacking phply==0.9.1
   Running setup.py egg_info for package phply

 Requirement already satisfied (use --upgrade to upgrade): ply in
 /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
 Installing collected packages: phply
   Found existing installation: phply dev
 Can't uninstall 'phply'. No files were found to uninstall.
   Running setup.py install for phply

 Skipping installation of
 /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace package)
 Installing /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
 Successfully installed phply
 Cleaning up...

 But still the w3af_console doesn't starts up and gives the same error.

 Thanks

 Regards
 Aman Thakur


 On Tue, Jul 15, 2014 at 5:25 PM, Andres Riancho andres.rian...@gmail.com
 wrote:

 What happens if you just run sudo pip install phply==0.9.1 ?

 On Tue, Jul 15, 2014 at 5:19 AM, Aman Thakur aman.thakur.1...@gmail.com
 wrote:
  Hello Everyone,
 
  I have updated my w3af directory contents using the git pull command.
  But
  the w3af is not working after the update. I am getting these error as
  below:
 
  when is did ./w3af_console to start w3af, i got this message below:
 
  (Your python installation needs the following modules to run w3af:
  phply
 
 
  After installing any missing operating system packages, use pip to
  install
  the remaining modules:
  sudo pip install phply==0.9.1
 
  A script with these commands has been created for you at
  /tmp/w3af_dependency_install.sh)
 
  and when i tried to execute the script it created,
  ./w3af_dependency_install.sh it gave me another error again as below:
 
  Downloading/unpacking phply==0.9.1
Running setup.py egg_info for package phply
 
  Requirement already satisfied (use --upgrade to upgrade): ply in
  /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
  Installing collected packages: phply
Found existing installation: phply dev
  Can't uninstall 'phply'. No files were found to uninstall.
Running setup.py install for phply
 
  Skipping installation of
  /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace
  package)
  Installing
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
  Successfully installed phply
  Cleaning up...
 
  any ideas what could be the problem? and how to fix that??
 
  Thanks
 
  Regards
  Aman
 
 
  --
  Want fast and easy access to all the code in your enterprise? Index and
  search up to 200,000 lines of code with a free copy of Black Duck
  Code Sight - the same software that powers the world's largest code
  search on Ohloh, the Black Duck Open Hub! Try it now.
  http://p.sf.net/sfu/bds
  ___
  W3af-users mailing list
  W3af-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/w3af-users
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] w3af in Debian

[Andres Riancho]

List,

We're looking for a new maintainer for Debian's w3af package [0].
If you're interested let me know :)

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754472

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af not Starting

[Andres Riancho]

You're a smart guy, why don't you read the pip manual and try
something extra from what I tell you?

On Tue, Jul 15, 2014 at 9:33 AM, Aman Thakur aman.thakur.1...@gmail.com wrote:
 i got this:

 ~# sudo pip install --upgrade phply==0.9.1
 Downloading/unpacking phply==0.9.1
   Running setup.py egg_info for package phply

 Requirement already up-to-date: ply in
 /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
 Installing collected packages: phply
   Found existing installation: phply dev
 Can't uninstall 'phply'. No files were found to uninstall.
   Running setup.py install for phply

 Skipping installation of
 /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace package)
 Installing /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
 Successfully installed phply
 Cleaning up...



 On Tue, Jul 15, 2014 at 5:35 PM, Andres Riancho andres.rian...@gmail.com
 wrote:

 That's strange, what if you use:

 sudo pip install --upgrade phply==0.9.1

 Also try reading pip's man, and finding a --force (or similar)

 On Tue, Jul 15, 2014 at 9:01 AM, Aman Thakur aman.thakur.1...@gmail.com
 wrote:
  Hi Andres,
 
  Thanks for replying.
 
  i got this:
  ~# sudo pip install phply==0.9.1
  Downloading/unpacking phply==0.9.1
Running setup.py egg_info for package phply
 
  Requirement already satisfied (use --upgrade to upgrade): ply in
  /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
  Installing collected packages: phply
Found existing installation: phply dev
  Can't uninstall 'phply'. No files were found to uninstall.
Running setup.py install for phply
 
  Skipping installation of
  /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace
  package)
  Installing
  /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
  Successfully installed phply
  Cleaning up...
 
  But still the w3af_console doesn't starts up and gives the same error.
 
  Thanks
 
  Regards
  Aman Thakur
 
 
  On Tue, Jul 15, 2014 at 5:25 PM, Andres Riancho
  andres.rian...@gmail.com
  wrote:
 
  What happens if you just run sudo pip install phply==0.9.1 ?
 
  On Tue, Jul 15, 2014 at 5:19 AM, Aman Thakur
  aman.thakur.1...@gmail.com
  wrote:
   Hello Everyone,
  
   I have updated my w3af directory contents using the git pull
   command.
   But
   the w3af is not working after the update. I am getting these error as
   below:
  
   when is did ./w3af_console to start w3af, i got this message below:
  
   (Your python installation needs the following modules to run w3af:
   phply
  
  
   After installing any missing operating system packages, use pip to
   install
   the remaining modules:
   sudo pip install phply==0.9.1
  
   A script with these commands has been created for you at
   /tmp/w3af_dependency_install.sh)
  
   and when i tried to execute the script it created,
   ./w3af_dependency_install.sh it gave me another error again as below:
  
   Downloading/unpacking phply==0.9.1
 Running setup.py egg_info for package phply
  
   Requirement already satisfied (use --upgrade to upgrade): ply in
   /usr/local/lib/python2.7/dist-packages (from phply==0.9.1)
   Installing collected packages: phply
 Found existing installation: phply dev
   Can't uninstall 'phply'. No files were found to uninstall.
 Running setup.py install for phply
  
   Skipping installation of
   /usr/local/lib/python2.7/dist-packages/phply/__init__.py (namespace
   package)
   Installing
   /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth
   Successfully installed phply
   Cleaning up...
  
   any ideas what could be the problem? and how to fix that??
  
   Thanks
  
   Regards
   Aman
  
  
  
   --
   Want fast and easy access to all the code in your enterprise? Index
   and
   search up to 200,000 lines of code with a free copy of Black Duck
   Code Sight - the same software that powers the world's largest code
   search on Ohloh, the Black Duck Open Hub! Try it now.
   http://p.sf.net/sfu/bds
   ___
   W3af-users mailing list
   W3af-users@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/w3af-users
  
 
 
 
  --
  Andrés Riancho
  Project Leader at w3af - http://w3af.org/
  Web Application Attack and Audit Framework
  Twitter: @w3af
  GPG: 0x93C344F3
 
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers

Re: [W3af-users] w3af API

[Andres Riancho]

Guillermo,

On Mon, Jul 14, 2014 at 9:34 AM, Guillermo D.A.G gen...@gmail.com wrote:

 Dear Andres,

 First of all, congratulations for w3af, you are doing a great job. Now, im 
 working on the testing of several tools for private use, with an a commercial 
 approach, with acunetix, appscan, etc. and an open source approach, with 
 w3af, wapiti...

Thanks for your email, and mostly for your patience in sending it
again to the mailing list.


 The first gap that i found is the API documentation (Restful or not).

Yes, there is no documentation on how w3af works internally, that's correct.

On the other side, I'm always here and on IRC to answer any questions
you (or anyone else might have). I would love to see more
contributors, and that's why I help each new person that approaches
the project with all my time.

 I saw some parallel project like w3afRemote, but i dont know the maturity 
 level of this project.

-1

It was a GREAT idea, but since it was an external project and w3af
evolved fast since w3afRemote creation, it is now obsolete. The w3af
version wrapped/exposed by w3afRemote is too old and buggy.

 Do you have in mind publish (soon) an API Rest Documentation? I saw that 
 https://github.com/andresriancho/w3af/wiki/REST-API-v1.0 and this 
 http://comments.gmane.org/gmane.comp.security.w3af.user/1783 but if you have 
 a roadmap in mind would be nice!


The roadmap is here [0], to sum up:
 * 1.6.1 - Bug fixing after 1.6  we're here
 * 1.7.0 - Increase WAVSEP Coverage and add long vulnerability descriptions
 * 1.7.2 - Multiple domain names as target
 * 1.7.5 Scanning sites with anti-CSRF tokens
 * 1.8.0 - JavaScript crawler
 * 1.9 - Specific vendor support release
 * 2.0 - REST API

So... it seems that you're out of luck. A lot of works needs to be
done before we even start thinking about a due date for the REST API.

There are several options at this point:
 * Your (big banking) company supports w3af, codes the REST API and
releases it GPLv2.0
 * Your (big banking) company supports w3af by hiring me as a
freelance developer to work on the REST API and the code gets released
as GPLv2.0
 * You choose any other scanner and pay more ;)

[0] https://github.com/andresriancho/w3af/issues/milestones



 Thanks in advance.

 Best regards,

 --

 Guillermo de Ángel García / Senior Security Consultant
 +34 630 340 920 / gen...@gmail.com



  Cuidemos del medio ambiente. Por favor no imprimas este e-mail si no es 
 necesario.


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck#174;
 Code Sight#153; - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck#174;
Code Sight#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] pass in target

[Andres Riancho]

Geoff,

I remember answering this question before, and a small thread
about this (not sure if it was in the mailing list). The best solution
for me is to use some kind of templating system to generate the
scripts. Example:

// template.w3af file
# plugin configuration
target
set target http://__TARGET__/
back

// generator.py
for target in TARGET_LIST:
template = file('template.w3af').read()
template = template.replace('__TARGET__', target)
file('%s.w3af', 'w').write(template)

And then you run the generated scripts.

Regards,

On Wed, Jul 9, 2014 at 6:20 AM, Geoff Galitz ge...@galitz.org wrote:


 Hi.

 I'm looking for the best way to pass in a target from the shell to
 w3af_console.  Recommendations?  I have a script file that I want to
 iterate over numerous hosts which are generated dynamically.


 -G



 --
 Geoff Galitz
 http://www.galitz.org


 --
 Open source business process management suite built on Java and Eclipse
 Turn processes into business applications with Bonita BPM Community Edition
 Quickly connect people, data, and systems into organized workflows
 Winner of BOSSIE, CODIE, OW2 and Gartner awards
 http://p.sf.net/sfu/Bonitasoft
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Why report pragma/cache header errors for 404 or 302 responses?

[Andres Riancho]

Ben,

On Tue, Jul 8, 2014 at 11:10 AM, Ben Kirk davidbenk...@gmail.com wrote:
 Hi,
 OK I understand the 404 issue now, that makes sense.

Cool,

As for a pull request,
 sorry for a newbie question, are you talking about me making the change and
 submitting a PR to you? Is this via a fork or a branch? I use git at work
 but haven't done a PR with a shared github project before. I pulled latest
 and created a branch with the change but I can't push the change, I get
 error: The requested URL returned error: 403 Forbidden while accessing
 https://github.com/andresriancho/w3af.git/info/refs?service=git-receive-pack
 fatal: HTTP request failed
 I couldn't find any documentation on the site about exactly which process
 you'd like. Do I need to be added as a contributing dev? The suggested
 change is:

 elif response.get_code()  300\
 and response.get_code()  310:
 return

Short answer: fork and then send a pull request.
Long answer: https://github.com/andresriancho/w3af/wiki/Contributing-101



 On Tue, Jul 8, 2014 at 6:10 AM, Andres Riancho andres.rian...@gmail.com
 wrote:

 Ben,

 Please read inline,

 On Mon, Jul 7, 2014 at 7:15 PM, Ben Kirk davidbenk...@gmail.com wrote:
  hi all,
  I may be misreading my scan output results, but I get the following and
  when
  I check all of these specific IDs they are for redirects like 302 or a
  404.
  Should this even be reported for HTTP responses that are not really
  content
  for the user (like a normal 200 with HTML content)
 
  Is this something that can be filtered out? asking because I need to
  report
  these in our monthly deployments to production to our security team and
  I
  don't want to raise any unnecessary flags. I'm using the latest build in
  git
  as of today.
 
  However if these are truly issues I should fix I'm open to that.
 
  thanks for any discussion on this.
 
  [Mon Jul  7 22:06:42 2014 - vulnerability] The whole target web
  application
  has no protection (Pragma and Cache-Control headers) against sensitive
  content caching. This vulnerability was found in the requests with ids
  16,
  36, 42 to 43 and 50.

 Well, you raise an interesting point. I agree that it doesn't make
 sense for these to be checked against 30x. I would be more than happy
 to receive a pull-request which adds a check around here [0] for the
 30x codes. Actually, believe it or not, that if in [0] was intended to
 match that situation, but it wasn't a complete solution since some 30x
 do have response bodies.

 RE: 404 codes, I believe that cache_control.py can't simply say: we
 don't care about them. Some 404 pages do have some private
 information (at least the email address of the user?)

 Does this make sense? Do you have the time to send me that small PR?

 [0]
 https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/cache_control.py#L58

 
  --
  Open source business process management suite built on Java and Eclipse
  Turn processes into business applications with Bonita BPM Community
  Edition
  Quickly connect people, data, and systems into organized workflows
  Winner of BOSSIE, CODIE, OW2 and Gartner awards
  http://p.sf.net/sfu/Bonitasoft
  ___
  W3af-users mailing list
  W3af-users@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/w3af-users
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3af in metasploit

[Andres Riancho]

Its impossible to answer your questions, first read:
http://www.catb.org/esr/faqs/smart-questions.html

And then ask your question using it.

On Sun, Jul 6, 2014 at 3:50 PM, risataim cusan risatai...@gmail.com wrote:
 create plugin to w3af ??

 El jul 5, 2014 2:01 PM, Andres Riancho andres.rian...@gmail.com
 escribió:

 Please ask specific questions, and decide which one you want to ask :)

 2014-07-05 14:16 GMT-03:00 risataim cusan risatai...@gmail.com:
  As use w3af + metasploit ??
 
  Como uso w3af  y metasploit
 
  Como puedo crear un plugin para w3af ??



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] W3af in metasploit

[Andres Riancho]

Please ask specific questions, and decide which one you want to ask :)

2014-07-05 14:16 GMT-03:00 risataim cusan risatai...@gmail.com:
 As use w3af + metasploit ??

 Como uso w3af  y metasploit

 Como puedo crear un plugin para w3af ??



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Script for automated testing

[Andres Riancho]

Are you running ./w3af_console -s script.w3af ?

On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail]
shafoff...@gmail.com wrote:
 Hi

 I am using the script which is taken from :
 https://www.owasp.org/index.php/Automated_Audit_using_W3AF

 done some editing removed the authentiucation details and the current
 version which I am using is given below. When I run the script, the scanning
 is not started instead it gives the console w3af


 Please guide, using the latest version of w3af in kali.

 Script is given below.

 #
 ---
 #  W3AF AUDIT SCRIPT FOR WEB
 APPLICATION
 #
 ---
 #Configure HTTP settings
 http-settings
 set timeout 30
 back

 #Configure scanner global behaviors
 misc-settings
 set max_discovery_time 20
 set fuzz_cookies True
 set fuzz_form_files True
 set fuzz_url_parts True
 set fuzz_url_filenames True
 back


 plugins
 #Configure entry point (CRAWLING) scanner
 crawl web_spider
 crawl config web_spider
 set only_forward False
 set ignore_regex (?i)(logout|disconnect|signout|exit)+
 back


 #Configure vulnerability scanners
 ##Specify list of AUDIT plugins type to use
 audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload,
 ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli,
 xpath, xss, xst
 ##Customize behavior of each audit plugin when needed
 audit config file_upload
 set extensions
 jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
 back


 ##Specify list of GREP plugins type to use (grep plugin is a type of plugin
 that can find also vulnerabilities or informations disclosure)
 grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp,
 directory_indexing, dom_xss, error_500, error_pages,
 html_comments, objects, path_disclosure, private_ip, strange_headers,
 strange_http_codes, strange_parameters, strange_reason, url_session,
 xss_protection_header


 ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin
 is a type of plugin that can find informations disclosure)
 infrastructure server_header, server_status, domain_dot, dot_net_errors
 back


 #Configure reporting in order to generate an HTML report
 output console, html_file
 output config html_file
 set output_file /tmp/samir-W3afReport.html
 set verbose False
 back
 output config console
 set verbose True
 back


 back
 #Set target informations, do a cleanup and run the scan
 target
 set target http://www.xxx.com
 back

 cleanup
 start



 shafeeque





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Script for automated testing

[Andres Riancho]

Could you send us the complete output from the console? Maybe a screenshot?

On Tue, Jun 24, 2014 at 11:12 AM, Shafeeque O.K [gmail]
shafoff...@gmail.com wrote:
 yes

 Regards,
 Shafeeque Olassery Kunnikkal C|EH,C|EI
 Graytips Cyber Technologies | www.graytips.com




 On Tue, Jun 24, 2014 at 7:37 PM, Andres Riancho andres.rian...@gmail.com
 wrote:

 Are you running ./w3af_console -s script.w3af ?

 On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail]
 shafoff...@gmail.com wrote:
  Hi
 
  I am using the script which is taken from :
  https://www.owasp.org/index.php/Automated_Audit_using_W3AF
 
  done some editing removed the authentiucation details and the current
  version which I am using is given below. When I run the script, the
  scanning
  is not started instead it gives the console w3af
 
 
  Please guide, using the latest version of w3af in kali.
 
  Script is given below.
 
  #
 
  ---
  #  W3AF AUDIT SCRIPT FOR WEB
  APPLICATION
  #
 
  ---
  #Configure HTTP settings
  http-settings
  set timeout 30
  back
 
  #Configure scanner global behaviors
  misc-settings
  set max_discovery_time 20
  set fuzz_cookies True
  set fuzz_form_files True
  set fuzz_url_parts True
  set fuzz_url_filenames True
  back
 
 
  plugins
  #Configure entry point (CRAWLING) scanner
  crawl web_spider
  crawl config web_spider
  set only_forward False
  set ignore_regex (?i)(logout|disconnect|signout|exit)+
  back
 
 
  #Configure vulnerability scanners
  ##Specify list of AUDIT plugins type to use
  audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload,
  ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting,
  sqli,
  xpath, xss, xst
  ##Customize behavior of each audit plugin when needed
  audit config file_upload
  set extensions
  jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
  back
 
 
  ##Specify list of GREP plugins type to use (grep plugin is a type of
  plugin
  that can find also vulnerabilities or informations disclosure)
  grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js,
  csp,
  directory_indexing, dom_xss, error_500, error_pages,
  html_comments, objects, path_disclosure, private_ip, strange_headers,
  strange_http_codes, strange_parameters, strange_reason, url_session,
  xss_protection_header
 
 
  ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure
  plugin
  is a type of plugin that can find informations disclosure)
  infrastructure server_header, server_status, domain_dot, dot_net_errors
  back
 
 
  #Configure reporting in order to generate an HTML report
  output console, html_file
  output config html_file
  set output_file /tmp/samir-W3afReport.html
  set verbose False
  back
  output config console
  set verbose True
  back
 
 
  back
  #Set target informations, do a cleanup and run the scan
  target
  set target http://www.xxx.com
  back
 
  cleanup
  start
 
 
 
  shafeeque
 
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Scan mobile devices with w3af

[Andres Riancho]

Well, w3af scans web applications, so if your phone exposes a web
server you'll be able to scan it. That's REALLY uncommon.

On the other hand, some web apps are designed for being accessed from
mobile devices. Those are good targets for w3af

On Tue, Jun 24, 2014 at 12:10 PM, Aman Thakur
aman.thakur.1...@gmail.com wrote:
 Hi guys,
 Good Day!!

 I was thinking about the scanning process of w3af for devices. So i thought
 it would be better to discuss it over here.

 I wanted to ask, is it possible to scan mobile devices for vulnerabilities
 with w3af??

 Thanks

 With Regards
 Aman Thakur

 --
 Open source business process management suite built on Java and Eclipse
 Turn processes into business applications with Bonita BPM Community Edition
 Quickly connect people, data, and systems into organized workflows
 Winner of BOSSIE, CODIE, OW2 and Gartner awards
 http://p.sf.net/sfu/Bonitasoft
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Throttling requests

[Andres Riancho]

Simon,

Yep, the answer is still the same. Usually people just want it to
go faster, not slower :)

Pull-requests for adding this feature are welcome.

On Mon, Jun 9, 2014 at 9:04 AM,
bm-2ctc7ndxaq76tymu5rb1nbg3nqcnjyq...@bitmessage.ch wrote:
 Hi,

 I was searching the web on how to throttle w3af requests and only found:
 http://comments.gmane.org/gmane.comp.security.w3af.user/1015

 (from 2011)

 Is it still not available as a config option in w3af nowadays?

 thanks!
 Simon



 --
 HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
 Find What Matters Most in Your Big Data with HPCC Systems
 Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
 Leverages Graph Analysis for Fast Processing  Easy Data Exploration
 http://www.hpccsystems.com
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] blacklist URL from being scanned by anything

[Andres Riancho]

Sorry for the very late response, I was offline.

The framework's blacklist should take care of blocking all requests,
to any URL you specify in the blacklist. I haven't tested your
specific case, but I don't see why it wouldn't work [0].

If you want to see this fixed, please send me an easy way to reproduce it:
* A w3af script with an online target
* A failing unittest written in python like [1]

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/url/handlers/blacklist.py#L58
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/url/handlers/tests/test_blacklist.py

On Wed, May 21, 2014 at 2:54 AM, Vojtěch Polášek krec...@gmail.com wrote:
 Hi,
 Okay. The target application is heavily dynamic (JSP). So I selected
 following way of scanning:
 I want to scan an authenticated part of the application.
 1. I log in and export my cookie.
 2. I created a profile which performs various testing, but main source
 of URLs is spider_man, because of technology in use.
 This profile uses exported cookie for maintaining session.
 But whenever anyone who has valid session cookie visits
 xxx.xxx.xxx.xxx/, the cookie is invalidated and so my scan returns no
 interesting results after doing this.
 For example, session breaks after probably phpinfo plugin visits:
 xxx.xxx.xxx.xxx/?mode=phpinfo
 I simply want to blacklist this individual URL:
 xxx.xxx.xxx.xxx/

 Or is there any other way of doing authenticated scan in this conditions?
 Thanks,
 Vojta
 Dne 20.5.2014 21:42, Andres Riancho napsal(a):
 Vojtech,

 Please read inline,

 On Tue, May 20, 2014 at 4:41 AM, Vojtěch Polášek krec...@gmail.com wrote:
 Hi,
 I am scanning a web application which is quite dynamic.
 I have to use spider_man to walk through it. There is one problem -
 whenever anyone tries to access its root URL (http://xxx.xxx.xxx.xxx/)
 it is redirected to a login form and therefore current cookie loses its
 validity.
 Is there any possibility to prevent every plugin from scanning this URL?
 Well... I believe you've found a rather strange bug. Let me better
 understand:
 * What's the target you're setting for the scan?
 * Which URL is going into the blacklist?


 I added it into ignored urls in misc settings, but it doesn't help.
 Thanks,
 Vojta

 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform 
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users






-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] [Gentoo] Help with packages w3af depend on

[Andres Riancho]

I believe you might be hitting this [0] bug. The solution might be to
disable the dependency_check (until #2703 is fixed).

[0] https://github.com/andresriancho/w3af/issues/2703

On Thu, May 8, 2014 at 12:11 PM, Raphael de Albuquerque Lima
rapd...@gmail.com wrote:
 Hi all,


 I've got w3af to work under Gentoo once, quite a while ago, and now I'm
 unable to reproduce it and I can't find any trace of what I've done then
 (duh)

 I'm running a fully updated Gentoo, running Python 2.7, Python Targets with
 2.7 support enabled for all packages.

 I've read all the documentation and searched forums/google'd for it, but i
 was unable to find which packages need to be installed prior to running it
 on Gentoo specifically, since the script points out Debian packages, I
 installed some packages that i believed to be Gentoo's similars, but I'm
 still missing something.

 I'm running both svn and stable (pentoo layman) versions, but can't use
 both.

 The error messages doesn't complaint about python dependencies nor pip's, as
 you can see below:

 w3af # ./w3af_gui
 w3af's requirements are not met, one or more third-party libraries need to
 be installed.

 On Debian systems please install the following operating system packages
 before running the pip installer:
 sudo apt-get install build-essential python-setuptools git python-pip
 libssl-dev graphviz python2.7-dev libsqlite3-dev libxslt1-dev libyaml-dev
 python-gtksourceview2 python-gtk2 libxml2-dev

 A script with these commands has been created for you at
 /tmp/w3af_dependency_install.sh



 Doing some research, these are the equivalents of Debian's packages for
 Gentoo that I've installed:

 build-essential  -  from what i've found, it's shipped with Gentoo (emerge
 system)
 python-setuptools  -  installed dev-python/setuptools
 git  -  installed dev-vcs/git
 python-pip  -  installed dev-python/pip
 libssl-dev  -  installed both  dev-libs/openssl and dev-python/pyopenssl
 graphviz  -  installed both media-gfx/graphviz and dev-python/pygraphviz
 python2.7-dev  -  installed dev-lang/python 2.7.6-r1 and it's the active
 python
 libsqlite3-dev  -  installed: dev-db/sqlite dev-python/sqlite3dbm
 dev-python/sqlitecachec
 libxslt1-dev  - installed  dev-libs/libxslt and dev-python/django-xslt
 (don't think this one is related but wouldn't hurt to try)
 libyaml-dev  -  installed dev-libs/libyaml and dev-python/pyyaml
 python-gtksourceview2  -  installed dev-python/pygtksourceview (2.10.1-r1)
 and x11-libs/gtksourceview both 2.0 and 3.0
 python-gtk2  -  installed dev-python/pygtk 2.24.0-r4 and
 dev-python/pywebkitgtk
 libxml2-dev  -  installed  dev-python/lxml and dev-python/pyxml

 Any help would be greatly appreciated.

 Sorry for any english mistakes.

 Thanks!

 - Raphael

 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af XML

[Andres Riancho]

Tom,

On Tue, May 27, 2014 at 11:38 AM, Tom Stage voro...@voronwe.dk wrote:
 Hi All

 I am working on the OWASP DEF Project, and i was wondering if it would be
 possible to get my hands on some test data xml, and i would like to include
 this data in the project for documentation purpose.

 I have some test data available from test scans that i have done myself, but
 iam not sure that this covers every possible field that w3af can produse.

Well, instead of giving you example outputs which might or might not
cover all the cases, I can do something much better :) There is an XSD
[0] for our XML, and I can guarantee that all output generated by our
xml_file plugin will validate against it [1]

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/xml_file/report.xsd
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/tests/output/test_xml_file.py#L80

 Would you consider adopting this format when it is finished?

If you send me a pull-request :)

 You can have a look at the current progress here:
 https://github.com/TomStageDK/OWASP-DEF

 On a side note i can say that i have tried to do the Fix for bug #2067 in
 the development branch, but if i have done it wrong once again please let me
 know.

Sadly I don't have time this week to spend on it, but please remind me next week

 Cheers,

 Tom Stage


 --
 Time is money. Stop wasting it! Get your web API in 5 minutes.
 www.restlet.com/download
 http://p.sf.net/sfu/restlet
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] phply dependency failure on latest on ubuntu

[Andres Riancho]

Well, that's strange! Why don't you give the develop branch a try?

On Wed, May 28, 2014 at 2:05 PM, Ben Kirk davidbenk...@gmail.com wrote:
 hi,
 I downloaded latest w3af from git, ran all the dep checks, but when I run
 w3af_console it still complains about:

 Your python installation needs the following modules to run w3af:
 phply

 After installing any missing operating system packages, use pip to install
 the remaining modules:
 sudo pip install --ignore-installed
 git+https://github.com/andresriancho/phply.git#egg=phply

 A script with these commands has been created for you at
 /tmp/w3af_dependency_install.sh
 ---
 I ran this wrapper and the command, no errors, but still reporting it. The
 last time I installed latest about 2 weeks or so ago I didn't have this
 issue (on a different image but still ubuntu). I've been able to install/run
 w3af many times on the same OS in the past few months.
 I'm on Ubuntu 12.04.4, deployed in AWS.
 thanks!

 --
 Time is money. Stop wasting it! Get your web API in 5 minutes.
 www.restlet.com/download
 http://p.sf.net/sfu/restlet
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] phply dependency failure on latest on ubuntu

[Andres Riancho]

You might be hitting this bug
https://github.com/andresriancho/w3af/issues/2766

On Wed, May 28, 2014 at 2:50 PM, Andres Riancho
andres.rian...@gmail.com wrote:
 Well, that's strange! Why don't you give the develop branch a try?

 On Wed, May 28, 2014 at 2:05 PM, Ben Kirk davidbenk...@gmail.com wrote:
 hi,
 I downloaded latest w3af from git, ran all the dep checks, but when I run
 w3af_console it still complains about:

 Your python installation needs the following modules to run w3af:
 phply

 After installing any missing operating system packages, use pip to install
 the remaining modules:
 sudo pip install --ignore-installed
 git+https://github.com/andresriancho/phply.git#egg=phply

 A script with these commands has been created for you at
 /tmp/w3af_dependency_install.sh
 ---
 I ran this wrapper and the command, no errors, but still reporting it. The
 last time I installed latest about 2 weeks or so ago I didn't have this
 issue (on a different image but still ubuntu). I've been able to install/run
 w3af many times on the same OS in the past few months.
 I'm on Ubuntu 12.04.4, deployed in AWS.
 thanks!

 --
 Time is money. Stop wasting it! Get your web API in 5 minutes.
 www.restlet.com/download
 http://p.sf.net/sfu/restlet
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] web_spider not crawling proprely

[Andres Riancho]

 /tr


 tr



 td align=center class=tblTD28/td



 td class=tblTDa




 href=ReportInstitutionsAction32.do?method=displayTopMgmtContactDetailsTop
 Management Contact Details (Only Top In Hierarchy) /a/td


 /tr


 !-- tr



 td align=center class=tblTD28/td



 td class=tblTDa




 href=ReportInstitutionsAction35.do?method=displayNewOrCancelledList
 of new or Cancelled Institutions /a/td


 /tr--


 !--tr



 td align=center class=tblTD31/td



 td class=tblTDa




 href=ReportSpecialPurposeVehicles.do?method=displaySpecialPurposeVehiclesSpecial
 Purpose Vehicles/a/td


 /tr--


 /table


 !-- InstanceEndEditable --/td


 /tr


 /table


 /td

 /tr

 /table

 /td

 /tr

 /table

 /td

 /tr



 /form

 /body

 !-- InstanceEnd --

 /html





















 table width=100% border=0 align=center cellpadding=0
 cellspacing=0 



 table width=100% border=0 cellspacing=0 cellpadding=0



 /table



 /body

 /html









  Original Message 
 Subject: Re: [W3af-users] web_spider not crawling proprely
 From: Andres Riancho andres.rian...@gmail.com
 To: Ali Khalfan ali.khal...@gmail.com
 CC: w3af-users@lists.sourceforge.net w3af-users@lists.sourceforge.net
 Date: Tue May 20 2014 22:44:22 GMT+0300 (AST)

 Maybe the site is rather complex (a lot of JavaScript), and can't be
 understood by w3af's HTML parser?

 If so, try this out:
 http://docs.w3af.org/en/latest/complex-web-apps.html

 On Tue, May 20, 2014 at 1:50 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 hi andres,

 i noticed when scanning a few of my applications that href links are not
 being detected by the web_spider plugin..  It seems that the only links
 detected are images and stylesheets.

 i've taken a quick glance at the plugin code and it doesn't seem that anchor
 links are being parsed.

 Is this the case?


 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users







-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] IP Blockage Problem

[Andres Riancho]

Nope, no way to solve this other than disabling the IP blocking
software that runs on the server.

On Fri, May 23, 2014 at 11:50 AM, Aman Thakur
aman.thakur.1...@gmail.com wrote:
 Hello Geeks,
 Good Day!!

 I have been using w3af for a while now. I have noticed that when we do the
 scan against websites, sometimes the website blocks my IP.

 The process w3af_console just stucks in the terminal and scan never finishes
 up. Then, even if i try to load the website in the browser, it doesn't loads
 up.

 Is there any solution to this problem that exists?

 Thanks

 With Regards
 Aman Thakur

 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] blacklist URL from being scanned by anything

[Andres Riancho]

Vojtech,

Please read inline,

On Tue, May 20, 2014 at 4:41 AM, Vojtěch Polášek krec...@gmail.com wrote:
 Hi,
 I am scanning a web application which is quite dynamic.
 I have to use spider_man to walk through it. There is one problem -
 whenever anyone tries to access its root URL (http://xxx.xxx.xxx.xxx/)
 it is redirected to a login form and therefore current cookie loses its
 validity.
 Is there any possibility to prevent every plugin from scanning this URL?

Well... I believe you've found a rather strange bug. Let me better
understand:
* What's the target you're setting for the scan?
* Which URL is going into the blacklist?


 I added it into ignored urls in misc settings, but it doesn't help.
 Thanks,
 Vojta

 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] web_spider not crawling proprely

[Andres Riancho]

Maybe the site is rather complex (a lot of JavaScript), and can't be
understood by w3af's HTML parser?

If so, try this out:
http://docs.w3af.org/en/latest/complex-web-apps.html

On Tue, May 20, 2014 at 1:50 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 hi andres,

 i noticed when scanning a few of my applications that href links are not
 being detected by the web_spider plugin..  It seems that the only links
 detected are images and stylesheets.

 i've taken a quick glance at the plugin code and it doesn't seem that anchor
 links are being parsed.

 Is this the case?


 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Scan Contents of PDF?

[Andres Riancho]

Short answer: No [0]

Long answers:
* No, SSN detection only works for html see this call is_text_or_html().

* No but... w3af is open source and you can modify the plugin to
make it work like you want. It seems to make sense to add this
feature, so if you like I can guide you.

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/ssn.py#L54

On Fri, May 16, 2014 at 7:09 PM, Rappold, Randy rra...@lsuhsc.edu wrote:
 Can w3af scan the contents of PDF files for SSNs?



 We’re evaluating w3af as a tool to scan our website for SSN content.   A new
 profile was created using the web-spider crawl and ssn grep plugins.  This
 locates possible SSNs on web pages but not in PDF documents.  A review of
 all plugins doesn’t appear to include an option for PDFs.



 Thank you.


 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] w3af installation on Mac OSX

[Andres Riancho]

Vinny,

Thanks for your tweet, and blog post. What do you think about
adding your steps to our online docs [0][1]?

I believe that the best is for you to send me a pull-request with
changes for the install.rst file which contain the instructions from
your blog, but in RST format. You may add a link to the original blog
post at the beginning/end of the modified docs.

When sending this modification do NOT reference pip packages
directly, since they change and the docs would become quickly
outdated. Just say something like install the pip packages required
by the installation script output (or similar).

[0] https://github.com/andresriancho/w3af/blob/master/doc/sphinx/install.rst
[1] http://docs.w3af.org/en/latest/install.html

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] links for tutorials

[Andres Riancho]

You could use spiderman+selenium

On Tue, May 13, 2014 at 1:01 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 one last thing I forgot to ask...would there be a possibility to use
 selenium scripts on w3af? pretty far-fetched, but just wondering...


 On Mon, May 12, 2014 at 2:35 PM, Ali Khalfan ali.khal...@gmail.com wrote:

 I'm looking for tutorials to cover w3af.  Specifically w3af authenticated
 scanning.  Googling gives me many tutorials but I was wondering if the list
 would recommend one.

 Thanks



 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] links for tutorials

[Andres Riancho]

If [0] is not enough, please let me know why and I'll try to improve
it. If you want, send me the improvements yourself.

[0] http://w3af.org/howtos/authenticated-scans

On Mon, May 12, 2014 at 6:35 AM, Ali Khalfan ali.khal...@gmail.com wrote:
 I'm looking for tutorials to cover w3af.  Specifically w3af authenticated
 scanning.  Googling gives me many tutorials but I was wondering if the list
 would recommend one.

 Thanks

 --
 Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
 Instantly run your Selenium tests across 300+ browser/OS combos.
 Get unparalleled scalability from the best Selenium testing platform
 available
 Simple to use. Nothing to install. Get started now for free.
 http://p.sf.net/sfu/SauceLabs
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Kaspersky alert - Heur:trojan

[Andres Riancho]

Which AV complained? The one on the host running w3af or the one on the
server? Is it complaining about some file on the target host?
El 10/05/2014 11:57, José Antonio jacfrei...@gmail.com escribió:

 Hi guys,

 I'm trying to use w3af from a virtual box kali instalation, when
  kaspersky found HEUR:trojan:generic signature in a download from the test
 script using the url unibz.it.pandastats.net

 I'm using audit, infrastructure and mangle plugins.

 Is it a false positive?

 Thanks

 José Antonio


 --
 Is your legacy SCM system holding you back? Join Perforce May 7 to find
 out:
 #149; 3 signs your SCM is hindering your productivity
 #149; Requirements for releasing software faster
 #149; Expert tips and advice for migrating your SCM now
 http://p.sf.net/sfu/perforce
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users


--
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
#149; 3 signs your SCM is hindering your productivity
#149; Requirements for releasing software faster
#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Fwd: How to setup Spiderman to use SSL

[Andres Riancho]

Aaron,

On Wed, Apr 30, 2014 at 5:06 PM, Aaron Tracy atr...@gmail.com wrote:
 OK, I'll work on generating a certificate.  Quick concept question. I'm a
 big JMeter user, and their latest build generates a local certificate on the
 fly that is good for 7 days (set in a configuration file).  The program
 creates a certificate everytime you hit start, but you really don't need to
 add the certificate until your current one expires in 7 days.

 Now with that as a background, in w3af, I'm generating one certificate.
 Will this certificate work for everyone that wants to use it, or will we
 need to update w3af so it generates a new certificate on the fly like in
 JMeter, or is generating one certificate version 1.0 of this process and the
 dynamic certificate generation like version 2.0?

 (Here's the documentation section I'm referring to in JMeter in case your
 interested:

 https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder

Well, for now I believe that it is a good idea to just generate
one CA, one certificate and simply use that for all w3af traffic.



 On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho andres.rian...@gmail.com
 wrote:

 Aaron,

 Thanks for re-sending to the mailing list :) It really helps the
 community

 On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy atr...@gmail.com wrote:
   Hey Andres,
 
 I haven't setup a CA before, but google showed me the following
  tutorial:
 
 
  https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/
 
I installed openssl and it's working properly on my Mac, however,
  before I
go too far down this road, I wanted to get a peer review to make sure
  I'm
  on
the right track.

 Good call, I love peer review, hate spending time when I'm unsure.

 I believe you're on the right track: generating a CA with openssl
 and then create a new SSL certificate for the proxy to use.

   If so, I'll need to have the caconfig.cnf file
  information
(see the website) for w3af... if I'm totally off track here, help me
  get
back on track :D

 Re: the caconfig.cnf , I would say that you can use the defaults.

 Please use the proxy.fake.w3af.org domain for the cert to generate.

 Something that would be nice to have is a README.rst file in the
 directory where this info will live, explaining how to generate new
 SSL certs, if they need, etc.

 I'm logged into w3af on freenode as tracer2000... :D

 Ah, sorry, I've been offline these days (off-site)

 Thanks for the Contributing 101 link :D I'm an avid github user so it
  made
perfect sense to me :D
 
  Aaron
 
 
  On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho
  andres.rian...@gmail.com
  wrote:
 
  Aaron,
 
  Thanks for the interest mate :) I believe that the best thing to
  do
  is:
 
  * Create a new CA using openssl, add it to the repository
  * Use that CA to create a new certificate that will be used
  with spiderman
  * Write a document here [0] about how to configure your
  browser to use spiderman with the new CA/cert
 
  Once that's done, we'll be able to worry about the migration to
  libmitmproxy
 
  You can send me the code as pull-requests, a guide on how to do it
  is
  here:
  https://github.com/andresriancho/w3af/wiki/Contributing-101
 
  Let me know if you find issues in the document, potential
  improvements, etc. If you get stuck contact me on freenode IRC
  (__apr__ is my nickname on #w3af)
 
  [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx
  [1] https://github.com/andresriancho/w3af/issues/1269
 
  On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy atr...@gmail.com wrote:
   Bring it on Andres!  I'll be happy to help out with this!  Where do
   I
   start?
  
  
   On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho
   andres.rian...@gmail.com
   wrote:
  
   Aaron,
  
   Well, that's actually a very good question! I haven't used the
   spiderman proxy for years, and when I tried now (after reading your
   email) I realized that there is no CA being distributed with w3af.
   The
   certificate the w3af is using is at [0], but that's kind of useless
   to
   solve your problem.
  
   A while ago, and without actually hitting this bug, I was on
   the
   right path [1] to fixing it. Sadly, I'm not a spiderman user, so
   this
   will have low priority on my TODO list (see that I'm working on
   1.6.1,
   a bug fix release, and [1] is in the 1.8 release).
  
   If you're interested in working on this issue, I would gladly
   help/guide you though each step.
  
   [0]
  
  
  
   https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
   [1]
  
  
   https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070
  
   On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy atr...@gmail.com
   wrote:
Hi!  Is there a tutorial somewhere I can follow on how to setup

[W3af-users] [slightly-off-topic] Me at Bogota - Colombia

[Andres Riancho]

List,

I'll be a speaker at OWASP LATAM Tour @ Bogota [0], I'll arrive on
Tuesday and leave on Friday morning. If you want to meet for beers and
talk appsec, let me know!

[0] https://www.owasp.org/index.php/LatamTour2014#tab=COLOMBIA

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Fix for Exception in w3af

[Andres Riancho]

Yes, got it. Could you please send me the information I asked for?
You're missing:
* Output of the ./w3af_console --version command
* detailed system information

See http://docs.w3af.org/en/latest/report-a-bug.html

I would love to fix this, but need more info.

On Mon, Apr 28, 2014 at 11:41 AM, Aman Thakur
aman.thakur.1...@gmail.com wrote:
 Sir, did you get my last message having screenshots?


 On Mon, Apr 28, 2014 at 7:23 PM, Aman Thakur aman.thakur.1...@gmail.com
 wrote:

 Sir, i have attached 2 screens: 1st is the error i got while
 scanning.2nd is the screenshot of the w3af script i am using.Then I
 am running the command $ w3af_console -s scriptname


 On Mon, Apr 28, 2014 at 6:51 PM, Andres Riancho andres.rian...@gmail.com
 wrote:

 Please send me the details on how you're launching the scan, your
 operating system, etc. Please follow the bug reporting best practices
 [0] so I can reproduce on my end.

 [0] http://docs.w3af.org/en/latest/report-a-bug.html

 On Mon, Apr 28, 2014 at 10:19 AM, Aman Thakur
 aman.thakur.1...@gmail.com wrote:
  Sir, I was scanning the openly available website http://dvwa.co.uk/ for
  scanning using the automated script.
 
 
  On Mon, Apr 28, 2014 at 6:33 PM, Andres Riancho
  andres.rian...@gmail.com
  wrote:
 
  Is there any way I can reproduce your issue? Is the site you're
  scanning public? Do you give me permission to scan it?
 
  On Mon, Apr 28, 2014 at 10:00 AM, Aman Thakur
  aman.thakur.1...@gmail.com wrote:
   Hi Andres,
  
   Thanks for you reply. I am using the latest version. I did pulled
   latest
   code from the git using git pull command. So, i think it is up to
   date
   because git said the same when i ran it again.
  
  
   On Mon, Apr 28, 2014 at 5:25 PM, Andres Riancho
   andres.rian...@gmail.com
   wrote:
  
   Aman,
  
   On Mon, Apr 28, 2014 at 8:32 AM, Aman Thakur
   aman.thakur.1...@gmail.com
   wrote:
Hello Everyone,
Good Day!!
   
This is my first email to the mailing list. So, if I posted it in
a
wrong
fashion, then accept my apologies for that.
   
I have been using w3af for over 4 weeks now and I am a big fan of
w3af
now
due to the ease of use.
   
But, 3 days ago, I encountered an exception error An internal
error
occurred while searching for id 4 while performing the scan. As
soon
as
the
exception came, w3af was closed an no report was generated.
  
   Which w3af version are you using? The latest one shouldn't trigger
   those
   errors.
  
  
  
  
   http://docs.w3af.org/en/latest/report-a-bug.html#making-sure-you-re-on-the-latest-version
  
I was using the w3af script to generate the report automatically
with
the
command $ w3af_console -s myscriptname. I wanted to ask, is
there
any
solution that exist for this exception?
   
I have done some RnD on this exception and as far as i
understand, i
think,
this exception was generated by invalid database value access.
Means
the
values which w3af is trying to get from the database using the
id,
that
tuple doesn't exist.
   
So, I was wondering if any fix is available for this problem?
   
Any, help or suggestions are welcome and appreciated...:)
   
Thanks
   
With Regards
Aman Thakur
   
   
   
   
--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For
FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get
unparalleled scalability from the best Selenium testing platform
available.
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
   
  
  
  
   --
   Andrés Riancho
   Project Leader at w3af - http://w3af.org/
   Web Application Attack and Audit Framework
   Twitter: @w3af
   GPG: 0x93C344F3
  
  
 
 
 
  --
  Andrés Riancho
  Project Leader at w3af - http://w3af.org/
  Web Application Attack and Audit Framework
  Twitter: @w3af
  GPG: 0x93C344F3
 
 



 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3






-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af

Re: [W3af-users] How to setup Spiderman to use SSL

[Andres Riancho]

Aaron,

Well, that's actually a very good question! I haven't used the
spiderman proxy for years, and when I tried now (after reading your
email) I realized that there is no CA being distributed with w3af. The
certificate the w3af is using is at [0], but that's kind of useless to
solve your problem.

A while ago, and without actually hitting this bug, I was on the
right path [1] to fixing it. Sadly, I'm not a spiderman user, so this
will have low priority on my TODO list (see that I'm working on 1.6.1,
a bug fix release, and [1] is in the 1.8 release).

If you're interested in working on this issue, I would gladly
help/guide you though each step.

[0] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
[1] https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070

On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy atr...@gmail.com wrote:
 Hi!  Is there a tutorial somewhere I can follow on how to setup the SSL
 Certificate Authority (CA) for the spiderman plugin?  When I attempt to
 manually browse my site via the spiderman proxy, I'm presented with the
 This connection is untrusted dialog in Firefox and I'm not permitted to
 the SSL pages.  For Metasploit, I used a certificate that it provided for me
 and that worked beautifully for their framework.  Just curious if there's a
 certificate I can install for w3af located somewhere that I can install for
 spiderman or if I can get instructions on how to approach this problem with
 w3af.

 Thanks!

 --
 Aaron

 --
 Start Your Social Network Today - Download eXo Platform
 Build your Enterprise Intranet with eXo Platform Software
 Java Based Open Source Intranet - Social, Extensible, Cloud Ready
 Get Started Now And Turn Your Intranet Into A Collaboration Platform
 http://p.sf.net/sfu/ExoPlatform
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users




-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] w3af_console breaks after import ConsoleUI

[Andres Riancho]

List,

After some private emails and a remote debugging session (thanks for
your time mate!) we know two things:
* Assmann's system is completely crazy and makes w3af dead-lock,
hopefully nobody else will hit this bug that we couldn't debug
* We were able to identify a bug in the way I was calling external
programs during dependency checks [0], which created zombie processes.
This one I'll fix shortly.

All in all, a great experience working with Assmann to debug and fix
some issues :)

[0] https://github.com/andresriancho/w3af/issues/2056

Regards,

On Mon, Apr 14, 2014 at 8:53 AM, Andres Riancho
andres.rian...@gmail.com wrote:
 Well, if it hangs in that line then you should be able to do something
 like this:

 try:
 filename = unicode_filename.encode(utf-8)
 except Exception, e:
 print(e)

 On Mon, Apr 14, 2014 at 8:50 AM,  assm...@skygate.de wrote:
 sorry, as I don`t speak python, I have no idea how to catch any
 exception. the program just hangs, it does not abort or something.
 is there a way to force logging of some kind?

 and yes encoding issues are really kinda magic sometimes.

 Got the exact traceback/exception being raised? It's really strange to
 see an encoding error with such a simple string
 /root/.w3af/tmp/4009/main.db, but it wouldn't be the strangest thing
 I've seen with encodings ;)

 On Mon, Apr 14, 2014 at 6:40 AM,  assm...@skygate.de wrote:
 So...just did this:

 it breaks at line 269:

 filename = unicode_filename.encode(utf-8)

 A filename example would be: /root/.w3af/tmp/4009/main.db

 Sounds strange to me, as no magic happens here.

 Did you add some prints to the setup handler method?
 https://github.com/andresriancho/w3af/blob/master/w3af/core/data/db/dbms.py#L263

 What do you see?

 On Fri, Apr 11, 2014 at 10:26 AM,  assm...@skygate.de wrote:
 Hi Andres,

 I could track it down to the following call:

 w3af/core/data/db/dbms.py:86

 future.result()

 I can read somthing about blocking here until some thread is
 startedseems that this takes forever.

 Is there anything that can go wrong when starting the sqlite db?
 How can I find out?

 Hope this helps.

 TIA

 Tobias

 Tobias,

 Well, that's the first time someone reports this... and it never
 happen to me either. Could you help us by debugging it a little bit?
 Try adding print statements and follow the code a little bit to see
 where you end up. If your bug report is more specific I'll be able to
 try to reproduce/fix it.

 Regards,

 On Fri, Apr 11, 2014 at 6:36 AM,  assm...@skygate.de wrote:
 Hi,

 I just upgraded my w3af to commit f7d67d80228255. Installed the new
 dependencies and wanted to run w3af_console.

 After startup...no reaction, I need to kill the process to get my 
 shell back.

 Everything is fine till line 15 where ConsoleUI import happens. No
 more output afterwards.

 I run a debain stable, everything up to date.

 Going back some commits doesn`t change a thing.

 Any Ideas, what might help me out here?

 TIA

 Tobias



 --
 Put Bad Developers to Shame
 Dominate Development with Jenkins Continuous Integration
 Continuously Automate Build, Test  Deployment
 Start a new project now. Try Jenkins in the cloud.
 http://p.sf.net/sfu/13600_Cloudbees
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users





 Mit freundlichen Grüßen

 Tobias Assmann
 ___

  SkyGate internetworking GmbH
  Pfuelstrasse 5, Aufgang VI
  D - 10997 Berlin
  Handelsreg. Berlin Charlottenburg, HRB 87258
  Geschaeftsfuehrer: Stephan Jensen

  T: +49- (0)30 - 611038-0
  F: +49- (0)30 - 61280465
  W: http://www.skygate.de
 ___







 Mit freundlichen Grüßen

 Tobias Assmann
 ___

  SkyGate internetworking GmbH
  Pfuelstrasse 5, Aufgang VI
  D - 10997 Berlin
  Handelsreg. Berlin Charlottenburg, HRB 87258
  Geschaeftsfuehrer: Stephan Jensen

  T: +49- (0)30 - 611038-0
  F: +49- (0)30 - 61280465
  W: http://www.skygate.de
 ___







 Mit freundlichen Grüßen

 Tobias Assmann
 ___

  SkyGate internetworking GmbH
  Pfuelstrasse 5, Aufgang VI
  D - 10997 Berlin
  Handelsreg. Berlin Charlottenburg, HRB 87258
  Geschaeftsfuehrer: Stephan Jensen

  T: +49- (0)30 - 611038-0
  F: +49- (0)30 - 61280465
  W: http://www.skygate.de
 ___





 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] w3af_console breaks after import ConsoleUI

[Andres Riancho]

Did you add some prints to the setup handler method?
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/db/dbms.py#L263

What do you see?

On Fri, Apr 11, 2014 at 10:26 AM,  assm...@skygate.de wrote:
 Hi Andres,

 I could track it down to the following call:

 w3af/core/data/db/dbms.py:86

 future.result()

 I can read somthing about blocking here until some thread is
 startedseems that this takes forever.

 Is there anything that can go wrong when starting the sqlite db?
 How can I find out?

 Hope this helps.

 TIA

 Tobias

 Tobias,

 Well, that's the first time someone reports this... and it never
 happen to me either. Could you help us by debugging it a little bit?
 Try adding print statements and follow the code a little bit to see
 where you end up. If your bug report is more specific I'll be able to
 try to reproduce/fix it.

 Regards,

 On Fri, Apr 11, 2014 at 6:36 AM,  assm...@skygate.de wrote:
 Hi,

 I just upgraded my w3af to commit f7d67d80228255. Installed the new
 dependencies and wanted to run w3af_console.

 After startup...no reaction, I need to kill the process to get my shell 
 back.

 Everything is fine till line 15 where ConsoleUI import happens. No
 more output afterwards.

 I run a debain stable, everything up to date.

 Going back some commits doesn`t change a thing.

 Any Ideas, what might help me out here?

 TIA

 Tobias



 --
 Put Bad Developers to Shame
 Dominate Development with Jenkins Continuous Integration
 Continuously Automate Build, Test  Deployment
 Start a new project now. Try Jenkins in the cloud.
 http://p.sf.net/sfu/13600_Cloudbees
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users





 Mit freundlichen Grüßen

 Tobias Assmann
 ___

  SkyGate internetworking GmbH
  Pfuelstrasse 5, Aufgang VI
  D - 10997 Berlin
  Handelsreg. Berlin Charlottenburg, HRB 87258
  Geschaeftsfuehrer: Stephan Jensen

  T: +49- (0)30 - 611038-0
  F: +49- (0)30 - 61280465
  W: http://www.skygate.de
 ___





-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test  Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Kali packaging for w3af - Automated and unittested

[Andres Riancho]

Christian,

Did you review the changes in the w3af package? What can we
improve? Could you test the package in a vanilla Kali?

I believe that running all tests is not an option for testing the
deb package, running all packages simply takes a lot of time. We could
write one or two tests, with a target of a local webserver, and run a
simple scan against that... but as with everything I'm doing these
days, I would like it to be automated. The tool to use in this case
seems to be auto-pkg-test: any experience with that?

[0] http://packaging.ubuntu.com/html/auto-pkg-test.html

Regards,

On Thu, Apr 3, 2014 at 9:27 PM, Christian Heinrich
christian.heinr...@cmlh.id.au wrote:
 Andres,

 The w3af nose tests, etc should be executed within the
 ./DEBIAN/rules file i.e.
 https://github.com/andresriancho/w3af-kali/blob/master/debian/rules.

 As far as I am aware there is no Continuous Integration (CI) for Kali
 Linux however CI should be possible with Tox and Jenkins.  You have
 also raised Tox in the past within
 https://github.com/andresriancho/w3af/issues/1048

 On Fri, Apr 4, 2014 at 1:33 AM, Andres Riancho andres.rian...@gmail.com 
 wrote:
 How do you believe we can improve the package? Could you run some
 tests over it to make sure it works well? Do you believe we could add
 some type of automated build + test to the process to make sure it
 doesn't break?


 --
 Regards,
 Christian Heinrich

 http://cmlh.id.au/contact



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Kali packaging for w3af - Automated and unittested

[Andres Riancho]

Christian,

That's great, thanks! I've been talking with muts at the
#kali-linux channel about packaging the latest w3af version and we've
done some great progress. I believe that we're almost there :) If
you're already used to how Kali packages stuff, this [0] should be a
good starting point for you.

How do you believe we can improve the package? Could you run some
tests over it to make sure it works well? Do you believe we could add
some type of automated build + test to the process to make sure it
doesn't break?

[0] http://git.kali.org/gitweb/?p=packages/w3af.git;a=summary

Regards,

On Wed, Apr 2, 2014 at 12:30 AM, Christian Heinrich
christian.heinr...@cmlh.id.au wrote:
 Andres,

 I can assist and have maintained a package for Kali Linux since December 2012.

 On Wed, Apr 2, 2014 at 2:47 AM, Andres Riancho andres.rian...@gmail.com 
 wrote:
 List,

 Anyone with experience packaging software for Debian/Ubuntu who
 wants to help out? I would like to create a set of scripts which are
 run each time I push to the repository, that will create the .deb
 file, install it in a chroot and test that it works by running a scan.

 Volunteers?

 Regards,
 --
 Andrés Riancho
 Project Leader at w3af - http://w3af.org/
 Web Application Attack and Audit Framework
 Twitter: @w3af
 GPG: 0x93C344F3

 --
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users



 --
 Regards,
 Christian Heinrich

 http://cmlh.id.au/contact



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

[W3af-users] Kali packaging for w3af - Automated and unittested

[Andres Riancho]

List,

Anyone with experience packaging software for Debian/Ubuntu who
wants to help out? I would like to create a set of scripts which are
run each time I push to the repository, that will create the .deb
file, install it in a chroot and test that it works by running a scan.

Volunteers?

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users