Muffys, On Fri, May 22, 2009 at 5:02 AM, Muffys Wump <muff...@hotmail.com> wrote: > Hi Andres, > >> Date: Wed, 20 May 2009 10:20:57 -0300 >> Subject: Re: [W3af-develop] WepSpider Cookie Feature >> From: andres.rian...@gmail.com >> To: muff...@hotmail.com >> CC: w3af-develop@lists.sourceforge.net >> >> Muffys, >> >> On Wed, May 20, 2009 at 4:46 AM, Muffys Wump <muff...@hotmail.com> wrote: >> > Hi List, >> > >> > Some time ago we've implemented a feature into the webSpider which >> > allows >> > you to set URL parameters to all discovered pages. e.g. >> > http://foo.bar/page.jsp;jsessionid=xxxxx?id=5. >> > My motivation was to set a JSESSIONID of a previously authenticated >> > session >> > in order to use w3af as a nightly running automated security testing >> > framework. >> > I was thinking that this should also be available for web applications >> > which >> > use cookies instead of URL parameters to store session information. >> > >> > The webSpider would change the cookie string to the user configured >> > parameter for every request: >> >>> discovery config webSpider >> >>> set cookieString 'PHPSESSIONID=yyyyyyy' >> > >> > I've found a similar request in the users list: "How to teach w3af to >> > log in >> > prior to spidering and testing". >> > The proxy plugin wouldn't work because it needs to done without user >> > interaction in my case. >> > >> > What do you think about that? I would be happy to implement this. >> >> For starters, the "add a cookie" feature can be done in three different >> ways: >> - Manually with the discover.spiderMan proxy >> - By passing a cookieJar file to http-config.cookies >> - By adding a new header manually "Cookie: ...." in >> http-config.headersFile >> >> So I think that there is no need to add this feature to >> discovery.webSpider. >> >> On the other hand, some time ago, while reviewing the webSpider code I >> was thinking: "why did THIS ended up HERE and not in the core?". I >> think that if you've got the time you should remove the session >> parameter feature from the webSpider code, and: >> - Add the configuration to http-config.cookies (which really is >> done in urlOpenerSettings.py) >> - Create a new urllib2 handler (core/data/url/handlers) that will >> add the session parameter to each request (if the user configured the >> framework to do so). >> >> This is needed because if we keep our current configuration, only >> discover.webSpider will be using the session parameter, which sucks, >> because other resources that may be found could not reveal their full >> content because we're not passing the session cookie to it. >> >> What do you think? Do you have the time to do it? >> > > Thanks for your input. I didn't know you can set cookies in three different > ways. This might be something for > the documentation if it's not already mentioned. Some people I work with > asked me repeatedly if it's possible to > "log-in" with w3af prior to scanning.
I think it's in the users guide. But I'm not sure. > I'll change the code accordingly to your proposal starting next week. Thanks =) > Cheers, > Kevin > >> Cheers, >> > Cheers, >> > Kevin >> > >> > ________________________________ >> > See all the ways you can stay connected to friends and family >> > >> > ------------------------------------------------------------------------------ >> > Crystal Reports - New Free Runtime and 30 Day Trial >> > Check out the new simplified licensing option that enables >> > unlimited royalty-free distribution of the report engine >> > for externally facing server and web deployment. >> > http://p.sf.net/sfu/businessobjects >> > _______________________________________________ >> > W3af-develop mailing list >> > W3af-develop@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ > > ________________________________ > See all the ways you can stay connected to friends and family -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
