Alyssa It is also possible to use webscarab as a second proxy between w3af and the server. You may submit forms using WebScarab setting it to listen mode. But it may be a good idea to extend the gui to pop-up a window when form fields are encountered. Even better after a successful spidering, gui may help you find the form used for authentication along with its page and allow you to enter values for that form only..
In any case, you may still write a code in script manager of webscarab to manipulate the requests and once the form is encountered, easily put some values in it. Regards Alex Fiuvertiz wrote: > I might be wrong now, but can't you just capture the session cookie > with the proxy and in someway add it as a additional header? I haven't > tried it myself, but right now when I look at the GUI there is an > option in "Configure HTTP settings"->headersFile. > Perhaps you will also have to check the "ignoreSessCookies"-checkbox. > > That is what I would have tried in any case. Good Luck! / Alex > > 2009/6/1 Dunsirn, Alyssa <[email protected]>: > >> I've just started using w3af and have been very successful scanning as an >> unauthenticated user. I'd like to scan as an authenticated user and outside >> of using spiderman, don't see how I can do this. We use SiteMinder to >> protect our applications and use forms authentication. Is there a way I can >> authenticate to the website and then start the scan? Any help would be >> appreciated....even if it's just pointing me in the direction of >> documentation that I'm missing. >> >> Alyssa >> >> Alyssa Dunsirn >> Software Security Consultant >> Great Lakes Educational Loan Services >> 608-246-1427 >> >> ------------------------------------------------------------------------------ >> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >> is a gathering of tech-side developers & brand creativity professionals. >> Meet >> the minds behind Google Creative Lab, Visual Complexity, Processing, & >> iPhoneDevCamp as they present alongside digital heavyweights like Barbarian >> Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> > > ------------------------------------------------------------------------------ > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT > is a gathering of tech-side developers & brand creativity professionals. Meet > the minds behind Google Creative Lab, Visual Complexity, Processing, & > iPhoneDevCamp as they present alongside digital heavyweights like Barbarian > Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
