[W3af-users] Script for automated testing
Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
yes Regards, Shafeeque Olassery Kunnikkal C|EH,C|EI Graytips Cyber Technologies | www.graytips.com On Tue, Jun 24, 2014 at 7:37 PM, Andres Riancho andres.rian...@gmail.com wrote: Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
Could you send us the complete output from the console? Maybe a screenshot? On Tue, Jun 24, 2014 at 11:12 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: yes Regards, Shafeeque Olassery Kunnikkal C|EH,C|EI Graytips Cyber Technologies | www.graytips.com On Tue, Jun 24, 2014 at 7:37 PM, Andres Riancho andres.rian...@gmail.com wrote: Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users