> > Yilmaz, > Hi Andres, > On Fri, May 29, 2009 at 2:25 AM, Yilmaz Cankaya > <[email protected]> wrote: > >> Hi Andres >> here is the output from the console >> >> w3af/config:http-settings>>> set basicAuthUser guest basicAuthPass guest >> basicAuthDomain webgoat >> > > All in the same line? >
No, actually not. In order not the get the warning about setting the domain, I had to set the domain first followed by User and Pass. Following is the complete conf and output from the console. webSpider can not go beyond the password protected resource (i.e WebGoat/attack) pe...@pergel:~/programs/w3af$ ./w3af_console w3af>>> plugins w3af/plugins>>> discovery webSpider w3af/plugins>>> back w3af>>> plugins w3af/plugins>>> output console w3af/plugins>>> back w3af>>> target w3af/config:target>>> set target http://192.168.4.44:8080/WebGoat/attack w3af/config:target>>> back w3af>>> http-settings w3af/config:http-settings>>> set basicAuthDomain webgoat w3af/config:http-settings>>> set basicAuthUser guest w3af/config:http-settings>>> set basicAuthPass guest w3af/config:http-settings>>> back w3af>>> start New URL found by webSpider plugin: http://192.168.4.44:8080/ New URL found by webSpider plugin: http://192.168.4.44:8080/tomcat.gif New URL found by webSpider plugin: http://192.168.4.44:8080/RELEASE-NOTES.txt New URL found by webSpider plugin: http://192.168.4.44:8080/tomcat-power.gif New URL found by webSpider plugin: http://192.168.4.44:8080/jakarta-banner.gif New URL found by webSpider plugin: http://192.168.4.44:8080/admin The following is a list of broken links that were found by the webSpider plugin: - http://192.168.4.44:8080/WebGoat/ [ http://192.168.4.44:8080/WebGoat/attack ] - http://192.168.4.44:8080/tomcat-docs [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/webdav/ [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/tomcat-docs/changelog.html [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/servlets-examples/ [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/jsp-examples/ [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/manager/html [ http://192.168.4.44:8080/ ] - http://192.168.4.44:8080/manager/status [ http://192.168.4.44:8080/ ] Found 7 URLs and 7 different points of injection. The list of URLs is: - http://192.168.4.44:8080/ - http://192.168.4.44:8080/RELEASE-NOTES.txt - http://192.168.4.44:8080/WebGoat/attack - http://192.168.4.44:8080/admin - http://192.168.4.44:8080/jakarta-banner.gif - http://192.168.4.44:8080/tomcat-power.gif - http://192.168.4.44:8080/tomcat.gif The list of fuzzable requests is: - http://192.168.4.44:8080/ | Method: GET - http://192.168.4.44:8080/RELEASE-NOTES.txt | Method: GET - http://192.168.4.44:8080/WebGoat/attack | Method: GET - http://192.168.4.44:8080/admin | Method: GET - http://192.168.4.44:8080/jakarta-banner.gif | Method: GET - http://192.168.4.44:8080/tomcat-power.gif | Method: GET - http://192.168.4.44:8080/tomcat.gif | Method: GET Finished scanning process. w3af>>> HTTP response to verify the domain: HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 02:00:00 EET WWW-Authenticate: Basic realm="webgoat" Content-Type: text/html;charset=utf-8 Content-Length: 952 Date: Sun, 31 May 2009 10:24:58 GMT <html><head><title>Apache Tomcat/5.5.4 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.4</h3></body></html> Thanks >> To properly configure the basic authentication settings, you should also >> set the auth domain. If you are unsure, you can set it to the target >> domain name. >> w3af/config:http-settings>>> >> >> ************************ >> and assuming that perhaps the root domain check is in place, I've also >> tried >> >> w3af/config:http-settings>>> set basicAuthUser guest basicAuthPass guest >> basicAuthDomain webgoat.com >> > > use different lines, like: > > set basicAuthUser guest > set basicAuthPass guest > set basicAuthDomain webgoat.com > > >> To properly configure the basic authentication settings, you should also >> set the auth domain. If you are unsure, you can set it to the target >> domain name. >> w3af/config:http-settings>>> >> >> >> Regards >> >> >> >> >> Andres Riancho wrote: >> >>> Yilmaz, >>> >>> On Thu, May 28, 2009 at 7:09 AM, Yilmaz Cankaya >>> <[email protected]> wrote: >>> >>> >>>> Meanwhile, I had sniffed the http traffic on the server and could verify >>>> that no authorization header is sent. >>>> >>>> Is there someone who tested this opt? I am not very good at python, >>>> thus any help is appreciated. >>>> >>>> >>> hmmm, I tried to reproduce this, but it's working for me. >>> >>> Could you please try to perform the same task but with the console >>> user interface, and then send us the transcription of your w3af >>> console session? Maybe with that I'll be able to reproduce the >>> possible bug. >>> >>> Thanks! >>> >>> >>> >>>> regards >>>> >>>> Yilmaz Cankaya wrote: >>>> >>>> >>>>> Hi, >>>>> giving a try to the Basic Authentication option in HTTP Config screen, >>>>> I've noticed that w3af spider tests do not sent authorization header >>>>> properly or even not at all. >>>>> >>>>> someone tested any site with Basic Authentication credentials configured? >>>>> >>>>> Is there any way to debug if the headers are properly set? >>>>> >>>>> Regards >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >>>>> is a gathering of tech-side developers & brand creativity professionals. >>>>> Meet >>>>> the minds behind Google Creative Lab, Visual Complexity, Processing, & >>>>> iPhoneDevCamp as they present alongside digital heavyweights like >>>>> Barbarian >>>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >>>>> _______________________________________________ >>>>> W3af-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>>>> >>>>> >>>>> >>>> ------------------------------------------------------------------------------ >>>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >>>> is a gathering of tech-side developers & brand creativity professionals. >>>> Meet >>>> the minds behind Google Creative Lab, Visual Complexity, Processing, & >>>> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian >>>> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >>>> _______________________________________________ >>>> W3af-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>>> >>>> >>>> >>> >>> >> ------------------------------------------------------------------------------ >> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >> is a gathering of tech-side developers & brand creativity professionals. Meet >> the minds behind Google Creative Lab, Visual Complexity, Processing, & >> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian >> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > > > > ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
