Achim, On Wed, May 20, 2009 at 5:24 AM, Achim Hoffmann <a...@securenet.de> wrote: > Hi all, > > Kevin, nice idea. > > I'll try to improve that and write a plugin to detect if a > webapp switches from URL rewriting to cookies or vice versa. > The idea is: > send url with session parameter > check if webapp send Set-Cookie with that value > If Set-Cookie comes back with preset value, we also have > a potential session fixation
I don't know how you understood this from Kevin's email, but great for us that you did it, because it would be great to have this feature. > Andres, will that plugin be in plugin/discovery? Hmmm, it is an audit plugin, because you would be finding a vulnerability (session fixation) and not a new resource. Do you agree? Cheers, > Cheers > Achim > > On Wed, 20 May 2009, Muffys Wump wrote: > > !! Hi List, > !! > !! Some time ago we've implemented a feature into the webSpider which allows > you to set > !! URL parameters to all discovered pages. e.g. > !! http://foo.bar/page.jsp;jsessionid=xxxxx?id=5. > !! My motivation was to set a JSESSIONID of a previously authenticated > session in order > !! to use w3af as a nightly running automated security testing framework. > !! I was thinking that this should also be available for web applications > which use > !! cookies instead of URL parameters to store session information. > !! > !! The webSpider would change the cookie string to the user configured > parameter for > !! every request: > !! >> discovery config webSpider > !! >> set cookieString 'PHPSESSIONID=yyyyyyy' > !! > !! I've found a similar request in the users list: "How to teach w3af to log > in prior to > !! spidering and testing". > !! The proxy plugin wouldn't work because it needs to done without user > interaction in my > !! case. > !! > !! What do you think about that? I would be happy to implement this. > !! > !! Cheers, > !! Kevin > !! > !! > _____________________________________________________________________________________________ > !! See all the ways you can stay connected to friends and family > !! > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
