Andres,
I was running it on a local application on IIS, I have no idea what
customizations the developers had done on the IIS configuration.So this is
non standard behaviour .. right.
On Tue, Jan 25, 2011 at 11:34 PM, Andres Riancho
<andres.rian...@gmail.com>wrote:
> Yonny,
>
> On Tue, Jan 25, 2011 at 2:22 PM, yonny mutai <yon...@googlemail.com>
> wrote:
> > Hi guys,
> >
> > Dont know if this is the right place ....
>
> Sure, shoot! :)
>
> > w3af bombed as shown below:
> >
> ...
> >
> > The remote HTTP Server omitted the "server" header in its response. This
> > information was found in the request with id 203.
> > Hmap web server fingerprint is starting, this may take a while.
> > The most accurate fingerprint for this HTTP server is:
> > "['Microsoft-IIS/6.0', None]".
>
> It seems that the hmap plugin is saving something strange to the KB
>
> > Unhandled error, traceback: Traceback (most recent call last):
> > File "/pentest/web/w3af/core/controllers/w3afCore.py", line 419, in
> start
> > self._realStart()
> > File "/pentest/web/w3af/core/controllers/w3afCore.py", line 491, in
> > _realStart
> > self._fuzzableRequestList = self._discover_and_bruteforce()
> > File "/pentest/web/w3af/core/controllers/w3afCore.py", line 364, in
> > _discover_and_bruteforce
> > discovered_fr_list = self._discover( tmp_list )
> > File "/pentest/web/w3af/core/controllers/w3afCore.py", line 712, in
> > _discover
> > result = self._discoverWorker( toWalk )
> > File "/pentest/web/w3af/core/controllers/w3afCore.py", line 781, in
> > _discoverWorker
> > pluginResult = plugin.discover_wrapper( fr )
> > File
> > "/pentest/web/w3af/core/controllers/basePlugin/baseDiscoveryPlugin.py",
> line
> > 48, in discover_wrapper
> > return self.discover( fuzzable_request_copy )
> > File "/pentest/web/w3af/plugins/discovery/pykto.py", line 103, in
> discover
> > self.__run( url )
> > File "/pentest/web/w3af/plugins/discovery/pykto.py", line 143, in __run
> > self._pykto( url , test_list )
> > File "/pentest/web/w3af/plugins/discovery/pykto.py", line 251, in
> _pykto
> > if self._generic_scan or self._server_match( server ):
> > File "/pentest/web/w3af/plugins/discovery/pykto.py", line 322, in
> > _server_match
> > msg = 'pykto plugin is using "' + kb_server + '" as the remote server
> > type.'
> > TypeError: cannot concatenate 'str' and 'list' objects
>
> And then pykto crashes when trying to use it as it expects a string.
>
> > Exception in thread Thread-11:
> > Traceback (most recent call last):
> > File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
> > self.run()
> > File "/usr/lib/python2.6/threading.py", line 484, in run
> > self.__target(*self.__args, **self.__kwargs)
> > File "/pentest/web/w3af/core/ui/consoleUi/rootMenu.py", line 119, in
> > _real_start
> > raise e
> > TypeError: cannot concatenate 'str' and 'list' objects
> >
>
> It looks like this happens when the remote server doesn't set a
> "Server:" header in its response.
>
> Do you have a way in which I can reproduce this in order to
> complete the fix? If so, I could do it today.
>
> Regards,
>
> >
> >
> ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better
> price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> > _______________________________________________
> > W3af-develop mailing list
> > W3af-develop@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
--
Regards
Yonny Mutai
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
