Olle, On Fri, Mar 13, 2009 at 6:42 AM, olle <o...@nxs.se> wrote: > On Wed, Mar 11, 2009 at 02:10:20PM -0200, Andres Riancho wrote: >> >> > The webSpider module gets confused by Apache error pages and gets stuck in >> > a loop as the log shows: > >> > New URL found by webSpider plugin: >> > http://10.80.2.1/support/admin/Apache/Apache/Apache/Apache/Apache/1.3.23 >> > >> > Where /support/admin looks like: >> > >> > HTTP/1.1 403 Forbidden >> > date: Mon, 09 Mar 2009 15:54:21 GMT >> > transfer-encoding: chunked >> > content-type: text/html; charset=iso-8859-1 >> > server: Apache/1.3.23 (Unix) PHP/4.1.2 >> > >> > >> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >> > <HTML><HEAD> >> > <TITLE>403 Forbidden</TITLE> >> > </HEAD><BODY> >> > <H1>Forbidden</H1> >> > You don't have permission to access /support/admin/ >> > on this server.<P> >> > <HR> >> > <ADDRESS>Apache/1.3.23 Server at xxx.xxx.xxx.xxx Port 80</ADDRESS> >> > </BODY></HTML> >> >> hmmm, I haven't tested it, but I think that if you "svn update" your >> "branches/1.0" directory, you'll find a version that fixes this bug. I >> simply changed the way that w3af detects 404 pages. The default was >> "autodetect", which has proven to suck in practice; now I changed it >> to "by Directory And Extension". > > Sorry, that doesn't seem to help.. > > [ Thu 12 Mar 2009 05:18:10 PM CET - debug ] GET > http://10.80.2.1/support/admin/Apache/Apache/1.3.23 returned HTTP code "403" > - id: 13374 > [ Thu 12 Mar 2009 05:18:10 PM CET - debug ] Starting grepWorker for response: > < httpResponse | 403 | http://10.80.2.1/support/admin/Apache/Apache/1.3.23 | > id:13374 > > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] Finished grepWorker for response: > < httpResponse | 403 | http://10.80.2.1/support/admin/Apache/Apache/1.3.23 | > id:13374 > > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] HEAD > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] HEAD > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 returned HTTP code > "403" - id: 13375 > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] Starting grepWorker for response: > < httpResponse | 403 | > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 | id:13375 > > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] Finished grepWorker for response: > < httpResponse | 403 | > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 | id:13375 > > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] GET > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 returned HTTP code > "403" - id: 13376 > [ Thu 12 Mar 2009 05:18:11 PM CET - debug ] Starting grepWorker for response: > < httpResponse | 403 | > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 | id:13376 > > [ Thu 12 Mar 2009 05:18:12 PM CET - debug ] Finished grepWorker for response: > < httpResponse | 403 | > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 | id:13376 > > [ Thu 12 Mar 2009 05:22:29 PM CET - debug ] GET > http://10.80.2.1/support/admin/Apache/Apache/1.3.23 returned HTTP code "403" > - id: 14717 > [ Thu 12 Mar 2009 05:22:29 PM CET - debug ] Starting grepWorker for response: > < httpResponse | 403 | http://10.80.2.1/support/admin/Apache/Apache/1.3.23 | > id:14717 > > [ Thu 12 Mar 2009 05:22:30 PM CET - debug ] Finished grepWorker for response: > < httpResponse | 403 | http://10.80.2.1/support/admin/Apache/Apache/1.3.23 | > id:14717 > > [ Thu 12 Mar 2009 05:22:37 PM CET - information ] New URL found by webSpider > plugin: http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23
This is the output of "grep Apache output.txt | grep 1.3.23", right? I'm missing some information, that could help me debug this issue. Maybe you could send us "grep Apache output.txt" ? That would give me some more info. Thanks! > Perhaps the solution should be for the webSpider NOT to pick up the Apache > version from the <ADDRESS> tag as a link? No, if the whole system would work as expected, I would like it to pick un "Apache/1.3.23" as a possible URL, test it, find out that it's a 404, and discard it. Why? Because maybe in some cases I could be finding something that might actually be valid. Cheers, > /olle > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
