Bill, On Fri, May 1, 2009 at 9:15 AM, Bill Moran <[email protected]> wrote: > In response to Abhishek Baheti <[email protected]>: > >> Hi >> Not long before I was searching for the same here is what I got >> >> To specify authentication "credentials" to w3af, you have two ways: >> - Use the proxy tool and a browser to get a valid cookie, and then add >> that cookie to the scanning process by configuring the http-settings, >> cookieJarFile parameter. > > Our application generates a new session id with each page load ...
ehhh, I don't even know if that's possible to handle by a browser. Is every page sending a "Set-Cookie" header?! > will this parameter be smart enough to track the session cookie like > so? Doesn't the cookieJar store a static value? Yes, cookieJar stores static session ids. The file is in the mozilla format (this is specified in the parameter help, you get this by clicking on the blue "i" next to the parameter) > Also, I'm having difficulty identifying the cookieJar format to > generate such a file. Firefox creates the file, but doesn't put > anything in it. > >> - Use the discovery.spiderMan plugin. This plugin acts as a proxy, and >> lets you navigate the target site and authenticate to it. After >> closing spiderMan, the authentication credentials will be used through >> the whole w3af scan. > > This was the first thing I tried, and it doesn't seem to understand > what I'm doing. I spent 15 minutes spidering the site through the > spiderman proxy, and once it completed, it had only scanned 3 pages, > which are the 3 pages accessible if you don't log in. So I'm guessing > it wasn't able to figure out the login process. I don't know what could be wrong here. Is this an internet facing web app? May I browse it? Is it an open source tool that I may install? > Thanks for the feedback so far. > >> ________________________________ >> From: Bill Moran <[email protected]> >> To: [email protected] >> Sent: Thursday, April 30, 2009 5:12:37 PM >> Subject: [W3af-users] How to teach w3af to log in prior to spidering and >> testing >> >> >> I need to provide w3af login credentials before it starts its work. >> 99% of the app I'm scanning are only accessible after login, so without >> this I can't really use w3af at all. >> >> I can't seem to find information on this in the docs or via google. >> I assume I'm missing something. Anyone have a pointer? >> >> -- >> Bill Moran >> http://www.potentialtech.com >> http://people.collaborativefusion.com/~wmoran/ >> >> ------------------------------------------------------------------------------ >> Register Now & Save for Velocity, the Web Performance & Operations >> Conference from O'Reilly Media. Velocity features a full day of >> expert-led, hands-on workshops and two days of sessions from industry >> leaders in dedicated Performance & Operations tracks. Use code vel09scf >> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> >> > > > -- > Bill Moran > http://www.potentialtech.com > http://people.collaborativefusion.com/~wmoran/ > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
