Tom,
On Wed, Mar 10, 2010 at 9:04 AM, Tom Ueltschi
<[email protected]> wrote:
> Andres,
>
> thanks for the prompt response and the great work you (and the other
> developers) are doing with w3af !
>
>>> - could i provide a login (username/password or session cookie)
>>> somehow without using spiderMan proxy?
>
>> Yes, please see the http-settings, there is a way for you to
>> specify a cookie, or add arbitrary headers with headersFile parameter.
>
> this would still require me to do a login and copy/save the session-cookie
> to be used. (session expiration issues)
> i would prefer to provide username/password for the login form (maybe along
> with the URL and parameter-names of the login page).
Sure, I inderstand the need for this feature, but right now we
don't support it.
> i'll try the importResults plugin with a Login-POST request in the input_csv
> file and see if that would work (and obsolete the need for spiderMan proxy
> to repeat a scan with login).
Yes, that's a good idea.
> i assume the same could be achieved using the formAuthBrute plugin, giving
> one (or more) valid username/password combinations in the input files (maybe
> even using stopOnFirst).
hehe, yes! I love your way of thinking :)
> - will in this case the successful login session be used for the rest of the
> scan?
Yes. But please make sure to blacklist the logout URL.
> - is there a way to influence the order of audit plugins being executed? i
> think they are not executed in the order listed (in the w3af script file)
No, there is no way to do that. But a patch for that would be trivial:
- Each plugin should have a getExecutionOrder() method, that returns
an int from 0 to 100.
- The w3afCore get's that value and orders the plugin list based on that
> this would be necessary to do the formAuthBrute first to do the login, and
> then the rest of the audits with the logged-in users session.
Actually, this is how w3af works:
1) discovery + bruteforce (run in a loop until no more info is found)
2) audit
So, your problem is not there.
>
> right now i'm doing a scan with the latest SVN, but still the old way.
> (using VNC viewer from my windows box to configure and start the test on my
> ubuntu box, using spiderMan proxy).
>
> there is one more suggestion i have ;-)
>
> the spiderMan proxy seems to be listening only on the "local loopback"
> interface (127.0.0.1), but not on the ethernet interface. from security
> perspective this is good. but from usability it would be nice, if it would
> listen on all (or user configured) interfaces, so i wouldn't need to use VNC
> viewer anymore.
There is a listenAddress parameter that you can change in the
discovery.spiderMan plugin in order to achieve that goal.
> this would also have to advantage, that if some (stupid) webapp only works
> right with IE and i don't have IE on linux, i could use IE on windows and
> configure the proxy port of the ubuntu box.
Agree,
> i prefer running w3af on ubuntu, not on windows, since my windows box is not
> running 24/7, but the linux box is.
>
> is it already possible to configure spiderMan proxy for all interfaces or
> would that need code change?
>
> thanks again for the great work!
Thank you for letting me know that there are more than a few
advanced w3af users :)
> cheers,
> Tom
>
>
> On Tue, Mar 9, 2010 at 2:29 PM, Andres Riancho <[email protected]>
> wrote:
>>
>> Tom,
>>
>> On Tue, Mar 9, 2010 at 9:12 AM, Tom Ueltschi
>> <[email protected]> wrote:
>> > Hi all,
>> >
>> > i've been using w3af mostly with spiderMan proxy and manual discovery,
>> > b/c the application needs a login with username/password.
>> >
>> > now i would like to scan the same webapp multiple times with different
>> > sets of audit plugins enabled. i already have a list of fuzzable URLs
>> > from previous scans.
>> >
>> >>> the goal is to repeat a scan (with same or other plugins) to check if
>> >>> the found vuln's have been fixed, if possible without the need of
>> >>> spiderMan
>> >>> proxy. (i would like to be able to configure and start a scan from remote
>> >>> with ssh without an open proxy port)
>>
>> Nice use case. I like what you're trying to achieve.
>>
>> > i found the 2 plugins "importResults" and "urllist_txt", where the
>> > documentation of the first one seems outdated (only 1 parameter:
>> > input_file) and the second one seems undocumented here:
>> > http://w3af.sourceforge.net/plugin-descriptions.php#discovery
>>
>> - urllist_txt will read the urllist.txt file from the web server
>> (http://host.tld/urllist.txt). This is not what you want.
>> - The latest version from importResults says in its description:
>>
>> Three configurable parameter exist:
>> - input_csv
>> - input_burp
>> - input_webscarab
>>
>> Please make sure that you have the latest version of w3af from the
>> SVN. The (http://w3af.sourceforge.net/plugin-descriptions.php#discovery)
>> page is outdated, I'll fix that in a while.
>>
>> > - what's the difference between the two? which one should be preferred?
>>
>> For your use case, please use importResults with input_csv.
>>
>> > - what's the format of "input_csv" from importResults? (e.g. 1 URL per
>> > line, with or without URL parameters? is there any separation by
>> > comma, or why CSV?)
>>
>> method, uri, postdata
>>
>> > - could i provide a login (username/password or session cookie)
>> > somehow without using spiderMan proxy?
>>
>> Yes, please see the http-settings, there is a way for you to
>> specify a cookie, or add arbitrary headers with headersFile parameter.
>>
>> > (maybe if it's possible create a GET request in the URL list file
>> > which does a login? [unless it's POST only] or else how?)
>>
>> Hmm... I'm not sure if that's going to work, but its worth a try!
>> I think its a smart idea.
>>
>> > thanks for any feedback and answers.
>>
>> Thank you!
>>
>> > Cheers,
>> > Tom
>> >
>>
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
