Sheriff,
Sorry for the late reply, please read inline:
On Thu, Apr 22, 2010 at 11:58 AM, <[email protected]> wrote:
> Hey folks,
>
> first of all I want to say that I'm really impressed about the concept and
> the whole structure of the w3af-project. I'm using w3af for a few weeks now
> and I'm sure that it will be a great tool
> for web application security WHEN IT'S DONE...
>
> And thats my problem: No matter what I try, w3af is unstable or some features
> dont work.
I agree that the framework has some bugs, some of them more
important than the others. But if you report them, we'll fix them.
> In detail: After so many stops and errors while scanning in the past I
> decided a few days ago to use w3af with its simplest functionality for test
> purpose. In every scenario I only use
> proxy (spiderMan) and spidering (webSpider).
Ok,
> I want to scan a private app where I have to login first. The plan is to
> perform the login with spiderMan so that the session-cookie will be used by
> w3af without any trouble. After that I
> want to scan every reachable asset in the app with webSpider. All in all, no
> big deal I think.
It shouldn't be a big deal, but it all depends on the web app. If
the app is heavly based on javascript or flash, then you should teach
the framework all the links by continuing to use spiderMan.
> But I tried it with different OS (WinXP, BackTrack4, Debian 5.0) and
> different releases (rc2, rc3) /revisons (svn): The result is always the same
> - it dont work!!! But it's not everytime the
> same error/problem - For example (Note: "In some cases" means different
> releases/revisions):
I recommend you to use the latest version from the SVN server.
> - In some cases the spiderMan-Proxy dont work when I want to submit my login.
> Before that the proxy works great and I can access every page that I want.
> But when I submit my
> credentials nothing happen for a while and w3af tell me, that the server is
> not reachable. But thats not true: In some (early) revisions the
> spiderMan-Proxy works great and get the
> session-cookie.
How can you tell that it's not working? What's the error you see?
Which are the expected and obtained results?
> - In some cases (when the spiderMan-proxy work) the webSpider dont do a good
> job: There are no new assets accessed by the spider but there exist enough in
> the application (simple
> links, no javascript...). The mistery is, that this feature works also fine
> in some (early) revisions!
Could you show us the webapp you're scanning?
> - In some cases, when webSpider AND spiderMan work fine (!!!), and I want to
> scan the application with a little bit more plugins, after a while there are
> error-messages about "xUrllib"...
Ahhh, yes... that's our biggest bug. We're going to fix that soon.
> All in all I actually dont get only one stable version of w3af. That's all
> very frustrating and I'm nearly getting crazy about this ...
Use the latest version from the SVN server, if it doesn't work
there, it won't work in previous versions.
> But I think at least the release candidates should work "fine" ?! You can
> believe me, when I say that I read nearly everything in detail about this
> (documentation, mailing list, ...) and I
> always performed the steps which was recommended (for installation). So
> please tell me
>
> HOW DO I INSTALL A STABLE VERSION OF w3af IN THE RIGHT WAY ???
As far as I can tell, it's not a problem with your install
process, it's a problem with the framework itself; but if you send us
the details of your errors, we'll be able to determine that.
> Thanks for your help and Yeehaw,
> Sheriff
>
>
> --
> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
