Hi all,
Kevin, nice idea.
I'll try to improve that and write a plugin to detect if a
webapp switches from URL rewriting to cookies or vice versa.
The idea is:
send url with session parameter
check if webapp send Set-Cookie with that value
If Set-Cookie comes back with preset value, we also have
a potential session fixation
Andres, will that plugin be in plugin/discovery?
Cheers
Achim
On Wed, 20 May 2009, Muffys Wump wrote:
!! Hi List,
!!
!! Some time ago we've implemented a feature into the webSpider which allows
you to set
!! URL parameters to all discovered pages. e.g.
!! http://foo.bar/page.jsp;jsessionid=xxxxx?id=5.
!! My motivation was to set a JSESSIONID of a previously authenticated session
in order
!! to use w3af as a nightly running automated security testing framework.
!! I was thinking that this should also be available for web applications which
use
!! cookies instead of URL parameters to store session information.
!!
!! The webSpider would change the cookie string to the user configured
parameter for
!! every request:
!! >> discovery config webSpider
!! >> set cookieString 'PHPSESSIONID=yyyyyyy'
!!
!! I've found a similar request in the users list: "How to teach w3af to log in
prior to
!! spidering and testing".
!! The proxy plugin wouldn't work because it needs to done without user
interaction in my
!! case.
!!
!! What do you think about that? I would be happy to implement this.
!!
!! Cheers,
!! Kevin
!!
!!
_____________________________________________________________________________________________
!! See all the ways you can stay connected to friends and family
!!
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
