Muffys,
On Wed, May 20, 2009 at 4:46 AM, Muffys Wump <muff...@hotmail.com> wrote:
> Hi List,
>
> Some time ago we've implemented a feature into the webSpider which allows
> you to set URL parameters to all discovered pages. e.g.
> http://foo.bar/page.jsp;jsessionid=xxxxx?id=5.
> My motivation was to set a JSESSIONID of a previously authenticated session
> in order to use w3af as a nightly running automated security testing
> framework.
> I was thinking that this should also be available for web applications which
> use cookies instead of URL parameters to store session information.
>
> The webSpider would change the cookie string to the user configured
> parameter for every request:
>>> discovery config webSpider
>>> set cookieString 'PHPSESSIONID=yyyyyyy'
>
> I've found a similar request in the users list: "How to teach w3af to log in
> prior to spidering and testing".
> The proxy plugin wouldn't work because it needs to done without user
> interaction in my case.
>
> What do you think about that? I would be happy to implement this.
For starters, the "add a cookie" feature can be done in three different ways:
- Manually with the discover.spiderMan proxy
- By passing a cookieJar file to http-config.cookies
- By adding a new header manually "Cookie: ...." in http-config.headersFile
So I think that there is no need to add this feature to discovery.webSpider.
On the other hand, some time ago, while reviewing the webSpider code I
was thinking: "why did THIS ended up HERE and not in the core?". I
think that if you've got the time you should remove the session
parameter feature from the webSpider code, and:
- Add the configuration to http-config.cookies (which really is
done in urlOpenerSettings.py)
- Create a new urllib2 handler (core/data/url/handlers) that will
add the session parameter to each request (if the user configured the
framework to do so).
This is needed because if we keep our current configuration, only
discover.webSpider will be using the session parameter, which sucks,
because other resources that may be found could not reveal their full
content because we're not passing the session cookie to it.
What do you think? Do you have the time to do it?
Cheers,
> Cheers,
> Kevin
>
> ________________________________
> See all the ways you can stay connected to friends and family
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
