@John: Awesome! Since Jay mentioned that he might work on this, I believe we'll have to wait and see if he's able to write the code; but something very important that's always required for a feature to be accepted in w3af is a functional test.
Our functional tests are part of the django-moth [0] application. If you want to help maybe you can consider writing a couple of vulnerable scripts which use JWT. The conditions of satisfaction for this are: * At least three new scripts are created * They all receive the data over JWT * The scripts are linked / usable from django-moth main page * Different types of signing are used in the test scripts * Different vulnerabilities are exposed via JWT (xss, sqli, os commanding) This will really help with the testing process :) [0] https://github.com/andresriancho/django-moth On Wed, Aug 5, 2015 at 5:42 PM, John Martinelli <johnnymartine...@gmail.com> wrote: > I can help with this > > On Aug 5, 2015 4:41 PM, "Andres Riancho" <andres.rian...@gmail.com> wrote: >> >> Jay, >> >> Interesting subject, never came across JSON web tokens before. >> >> AFAIK nobody is working on adding this feature to the framework, >> but I would be happy if you give it a try. There seems to be a library >> we can use to handle all the encoding stuff [0] and some notes on the >> w3af-specifics: >> >> * The plugins need to be 100% abstracted of the way requests >> are encoded. Changes to JSON web tokens will only affect files in >> w3af/core/ >> * One of the most important abstractions you'll have to >> understand to add JWT to w3af is mutants [1]. Follow the code by >> looking for all the usages of JSONMutant and it should be easy to >> understand what they are. >> * The other abstraction to be added for JWT is a container [2] >> >> A couple of links that might help: >> * >> https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor >> * https://github.com/andresriancho/w3af/wiki/Contributing-101 >> >> Feel free to ask me any questions via this mailing list, or use >> the new issue I've just created [3] >> >> [0] https://github.com/jpadilla/pyjwt/ >> [1] >> https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py >> [2] >> https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py >> [3] https://github.com/andresriancho/w3af/issues/11875 >> >> On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay.xi...@verilume.com> wrote: >> > Hi, >> > >> > We are using JWT token after user name/password authentication for the >> > subsequent http request. The JWT token returned as access-token and the >> > subsequent request need to include x-aacess-token as part of request. >> > Otherwise, the server under scan simply rejects http request with 401. >> > >> > Is this feature being developed or can someone point me to the code >> > where I >> > can customize myself. >> > >> > Thanks, >> > >> > Jay >> > >> > >> > ------------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > W3af-develop mailing list >> > W3af-develop@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
