Andres,
thanks for the prompt response and the great work you (and the other
developers) are doing with w3af !
>> - could i provide a login (username/password or session cookie)
>> somehow without using spiderMan proxy?
> Yes, please see the http-settings, there is a way for you to
> specify a cookie, or add arbitrary headers with headersFile parameter.
this would still require me to do a login and copy/save the session-cookie
to be used. (session expiration issues)
i would prefer to provide username/password for the login form (maybe along
with the URL and parameter-names of the login page).
i'll try the importResults plugin with a Login-POST request in the input_csv
file and see if that would work (and obsolete the need for spiderMan proxy
to repeat a scan with login).
i assume the same could be achieved using the formAuthBrute plugin, giving
one (or more) valid username/password combinations in the input files (maybe
even using stopOnFirst).
- will in this case the successful login session be used for the rest of the
scan?
- is there a way to influence the order of audit plugins being executed? i
think they are not executed in the order listed (in the w3af script file)
this would be necessary to do the formAuthBrute first to do the login, and
then the rest of the audits with the logged-in users session.
right now i'm doing a scan with the latest SVN, but still the old way.
(using VNC viewer from my windows box to configure and start the test on my
ubuntu box, using spiderMan proxy).
there is one more suggestion i have ;-)
the spiderMan proxy seems to be listening only on the "local loopback"
interface (127.0.0.1), but not on the ethernet interface. from security
perspective this is good. but from usability it would be nice, if it would
listen on all (or user configured) interfaces, so i wouldn't need to use VNC
viewer anymore.
this would also have to advantage, that if some (stupid) webapp only works
right with IE and i don't have IE on linux, i could use IE on windows and
configure the proxy port of the ubuntu box.
i prefer running w3af on ubuntu, not on windows, since my windows box is not
running 24/7, but the linux box is.
is it already possible to configure spiderMan proxy for all interfaces or
would that need code change?
thanks again for the great work!
cheers,
Tom
On Tue, Mar 9, 2010 at 2:29 PM, Andres Riancho <[email protected]>wrote:
> Tom,
>
> On Tue, Mar 9, 2010 at 9:12 AM, Tom Ueltschi
> <[email protected]> wrote:
> > Hi all,
> >
> > i've been using w3af mostly with spiderMan proxy and manual discovery,
> > b/c the application needs a login with username/password.
> >
> > now i would like to scan the same webapp multiple times with different
> > sets of audit plugins enabled. i already have a list of fuzzable URLs
> > from previous scans.
> >
> >>> the goal is to repeat a scan (with same or other plugins) to check if
> the found vuln's have been fixed, if possible without the need of spiderMan
> proxy. (i would like to be able to configure and start a scan from remote
> with ssh without an open proxy port)
>
> Nice use case. I like what you're trying to achieve.
>
> > i found the 2 plugins "importResults" and "urllist_txt", where the
> > documentation of the first one seems outdated (only 1 parameter:
> > input_file) and the second one seems undocumented here:
> > http://w3af.sourceforge.net/plugin-descriptions.php#discovery
>
> - urllist_txt will read the urllist.txt file from the web server
> (http://host.tld/urllist.txt). This is not what you want.
> - The latest version from importResults says in its description:
>
> Three configurable parameter exist:
> - input_csv
> - input_burp
> - input_webscarab
>
> Please make sure that you have the latest version of w3af from the
> SVN. The (http://w3af.sourceforge.net/plugin-descriptions.php#discovery)
> page is outdated, I'll fix that in a while.
>
> > - what's the difference between the two? which one should be preferred?
>
> For your use case, please use importResults with input_csv.
>
> > - what's the format of "input_csv" from importResults? (e.g. 1 URL per
> > line, with or without URL parameters? is there any separation by
> > comma, or why CSV?)
>
> method, uri, postdata
>
> > - could i provide a login (username/password or session cookie)
> > somehow without using spiderMan proxy?
>
> Yes, please see the http-settings, there is a way for you to
> specify a cookie, or add arbitrary headers with headersFile parameter.
>
> > (maybe if it's possible create a GET request in the URL list file
> > which does a login? [unless it's POST only] or else how?)
>
> Hmm... I'm not sure if that's going to work, but its worth a try!
> I think its a smart idea.
>
> > thanks for any feedback and answers.
>
> Thank you!
>
> > Cheers,
> > Tom
> >
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
