In response to Andres Riancho <[email protected]>: > > On Fri, May 1, 2009 at 9:15 AM, Bill Moran <[email protected]> wrote: > > In response to Abhishek Baheti <[email protected]>: > > > >> Hi > >> Not long before I was searching for the same here is what I got > >> > >> To specify authentication "credentials" to w3af, you have two ways: > >> - Use the proxy tool and a browser to get a valid cookie, and then add > >> that cookie to the scanning process by configuring the http-settings, > >> cookieJarFile parameter. > > > > Our application generates a new session id with each page load ... > > ehhh, I don't even know if that's possible to handle by a browser. Is > every page sending a "Set-Cookie" header?!
Yup. Creates a new session ID every time you call a script, and sends the new ID to the browser every time. The commercial products we've used can handle this. I'm guessing I just need to write a plugin that I can specify which cookie value holds the session ID, and have it maintain it as it changes. Doesn't seem too difficult, except that I'm not familiar with Python or the w3af framework :(. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
