Taras, On Mon, Jan 12, 2009 at 7:02 PM, Andres Riancho <[email protected]> wrote: > Taras, > > On Mon, Jan 12, 2009 at 6:51 PM, Taras P. Ivashchenko > <[email protected]> wrote: >> Andres, >> >>> I saw that you modified the plugin and that it's working almost as >>> expected. >> Yes, I modified it, but not finished yet. >> I had implemented: >> - Check that the name of the site and the name reported in the >> certificate match. >> - Check that the certificate is self issued >> But at the moment I can not check: self signed certificate and signature >> algorithm (MD5 check as in Metasploit) because of simply there is no >> such functionality in PyOpenSSL module [0]. For example, we can't access >> to X509v3 extensions of certificate to check if certificate is self >> signed :( >> I also post to OpenSSL maillist [1] > > Oh, that sucks! > >> So at the moment I'm thinking about how to implement these features in >> w3af. For example, we can hack pyopenssl module (it will be needed to >> write some C code) and provide it with w3af. We can also write wrapper >> to openssl binary but it's not good idea, isn't it? > > Just like you say... it's a bad idea, the guys from openssl / > pyopenssl should modify the code in order to add those features. That > could take years, and it may never be done but... I don't want to > maintain a "hacked up version of openssl+pyopenssl" inside w3af!!! > >> [0] >> https://sourceforge.net/mailarchive/forum.php?thread_name=20090103005245.3d6894d7.naplanetu%40gmail.com&forum_name=pyopenssl-list >> [1] http://marc.info/?l=python-list&m=123110463503599&w=2 >> >>> I just wanted to let you know that there is a problem with >>> the plugin! Try to enable the sslCertificate and a >>> discovery.webSpider, and you'll see how the info objects in the kb are >>> created more than one time (actually, one time for every >>> fuzzableRequest that's created by the discovery plugins). I think that >>> you should perform all the checks only one time for each new >>> certificate that is sent to by the remote web server. >> >> Yes, of course you are right and we should check certificate once per >> target host. I will implement it in the nearest time. > > As usual... excellent!
Should I close this [0] task? Should we close it and create a task in order to research if it's possible to perform "the metasploit md5 trick" in another way? [0] https://sourceforge.net/pm/task.php?func=detailtask&project_task_id=145075&group_id=170274&group_project_id=50603 > Cheers, > >> -- >> Тарас Иващенко (Taras Ivashchenko), OSCP >> www.securityaudit.ru >> ---- >> "Software is like sex: it's better when it's free." - Linus Torvalds >> > > > > -- > Andres Riancho > http://w3af.sourceforge.net/ > Web Application Attack and Audit Framework > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
