Hey folks, first of all I want to say that I'm really impressed about the concept and the whole structure of the w3af-project. I'm using w3af for a few weeks now and I'm sure that it will be a great tool for web application security WHEN IT'S DONE...
And thats my problem: No matter what I try, w3af is unstable or some features dont work. In detail: After so many stops and errors while scanning in the past I decided a few days ago to use w3af with its simplest functionality for test purpose. In every scenario I only use proxy (spiderMan) and spidering (webSpider). I want to scan a private app where I have to login first. The plan is to perform the login with spiderMan so that the session-cookie will be used by w3af without any trouble. After that I want to scan every reachable asset in the app with webSpider. All in all, no big deal I think. But I tried it with different OS (WinXP, BackTrack4, Debian 5.0) and different releases (rc2, rc3) /revisons (svn): The result is always the same - it dont work!!! But it's not everytime the same error/problem - For example (Note: "In some cases" means different releases/revisions): - In some cases the spiderMan-Proxy dont work when I want to submit my login. Before that the proxy works great and I can access every page that I want. But when I submit my credentials nothing happen for a while and w3af tell me, that the server is not reachable. But thats not true: In some (early) revisions the spiderMan-Proxy works great and get the session-cookie. - In some cases (when the spiderMan-proxy work) the webSpider dont do a good job: There are no new assets accessed by the spider but there exist enough in the application (simple links, no javascript...). The mistery is, that this feature works also fine in some (early) revisions! - In some cases, when webSpider AND spiderMan work fine (!!!), and I want to scan the application with a little bit more plugins, after a while there are error-messages about "xUrllib"... All in all I actually dont get only one stable version of w3af. That's all very frustrating and I'm nearly getting crazy about this ... But I think at least the release candidates should work "fine" ?! You can believe me, when I say that I read nearly everything in detail about this (documentation, mailing list, ...) and I always performed the steps which was recommended (for installation). So please tell me HOW DO I INSTALL A STABLE VERSION OF w3af IN THE RIGHT WAY ??? Thanks for your help and Yeehaw, Sheriff -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
