In response to Abhishek Baheti <[email protected]>: > Hi > Not long before I was searching for the same here is what I got > > To specify authentication "credentials" to w3af, you have two ways: > - Use the proxy tool and a browser to get a valid cookie, and then add > that cookie to the scanning process by configuring the http-settings, > cookieJarFile parameter.
Our application generates a new session id with each page load ... will this parameter be smart enough to track the session cookie like so? Doesn't the cookieJar store a static value? Also, I'm having difficulty identifying the cookieJar format to generate such a file. Firefox creates the file, but doesn't put anything in it. > - Use the discovery.spiderMan plugin. This plugin acts as a proxy, and > lets you navigate the target site and authenticate to it. After > closing spiderMan, the authentication credentials will be used through > the whole w3af scan. This was the first thing I tried, and it doesn't seem to understand what I'm doing. I spent 15 minutes spidering the site through the spiderman proxy, and once it completed, it had only scanned 3 pages, which are the 3 pages accessible if you don't log in. So I'm guessing it wasn't able to figure out the login process. Thanks for the feedback so far. > ________________________________ > From: Bill Moran <[email protected]> > To: [email protected] > Sent: Thursday, April 30, 2009 5:12:37 PM > Subject: [W3af-users] How to teach w3af to log in prior to spidering and > testing > > > I need to provide w3af login credentials before it starts its work. > 99% of the app I'm scanning are only accessible after login, so without > this I can't really use w3af at all. > > I can't seem to find information on this in the docs or via google. > I assume I'm missing something. Anyone have a pointer? > > -- > Bill Moran > http://www.potentialtech.com > http://people.collaborativefusion.com/~wmoran/ > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
