Andres,
The application isn't publically available, but I do have http traces.
I reread the guide you mentioned, the procedure I am following is as expected.
In looking at the traces I can see that when
I am using the app without a proxy, an HTTP 302 is issued. When using the
proxy, no redirect takes place, I only see an http 200 OK message.
The app I am using uses servlets. Our login sequence consists of a login
action. Once the login action takes places, it redirects to a "main" action.
I can't see anything happening on my application side of things when debugging.
The first action is completed as expected. Does the webspider proxy handle
302 requests?
Attached is a proxy / noproxy trace.
-----Original Message-----
From: Andres Riancho [mailto:[email protected]]
Sent: Saturday, February 26, 2011 8:31 AM
To: Ruel Loehr
Cc: [email protected]
Subject: Re: [W3af-users] W3AF/spiderman proxy session management
Ruel,
On Thu, Feb 24, 2011 at 8:29 PM, Ruel Loehr <[email protected]>
wrote:
> The application which I am attempting to test has a login page. Once
> the user is logged in, they receive a session id and are forwarded to
> another struts action. The second struts action pulls the session
> for the request and checks its validity.
>
>
>
> I'm attempting to use the spiderman plugin, but it appears that the a
> different session is being used when I'm forwarded to my second action.
>
>
>
> Has anyone ever experienced this?
No, not me.
> Are there any configurations I might be missing? I haven't found
>anything yet by viewing the docs or mail archives.
Have you read the HOWTO about performing an authenticated scan [0] ?
While I think that you've got it covered and this sounds more like a w3af bug,
please read the HOWTO and try again. If its still not working, would it be
possible for us to get our hands on that web application, or the recorded HTTP
requests of w3af failing to login AND a browser succeeding?
[0] http://sourceforge.net/apps/trac/w3af/wiki/perform-authenticated-scan-howto
>
> ----------------------------------------------------------------------
> -------- Free Software Download: Index, Search & Analyze Logs and
> other IT data in Real-Time with Splunk. Collect, index and harness all
> the fast moving IT data generated by your applications, servers and
> devices whether physical, virtual or in the cloud. Deliver compliance
> at lower cost and gain new business insights.
> http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
http://192.168.1.221:8080/myapp/login.do
POST http://192.168.1.221:8080/myapp/login.do HTTP/1.1
Host: 192.168.1.221:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17)
Gecko/20110121 Firefox/3.5.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.221:8080/myapp/login.do
Cookie: cookieSetting=on; JSESSIONID=B3DFC2C980F26280AA96375AE1FF2432
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
username=username&password=password123&application=myApp&Login=Login
HTTP/1.0 200 OK
Server: BaseHTTP/0.3 Python/2.6.6, Apache-Coyote/1.1
Date: Thu, 10 Mar 2011 19:54:33 GMT, Thu, 10 Mar 2011 19:41:27 GMT
Set-Cookie: JSESSIONID=C25323D3EC40A8D5957DEBC814A91CB5; Path=/myapp
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close, close
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Content-Type: text/html;charset=ISO-8859-1
----------------------------------------------------------
http://192.168.1.221:8080/myapp/login.do
POST /myapp/login.do HTTP/1.1
Host: 192.168.1.221:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17)
Gecko/20110121 Firefox/3.5.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.1.221:8080/myapp/login.do
Cookie: cookieSetting=on; JSESSIONID=C366D5BFAA298853EDF1019BAD50C0F4
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
username=username&password=password123&application=myApp&Login=Login
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DFCFC082E310C98C61C0CE956609893E; Path=/myapp
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://192.168.1.221:8080/myapp/main.do
Content-Type: text/html
Content-Length: 0
Date: Thu, 10 Mar 2011 19:10:13 GMT
----------------------------------------------------------
http://192.168.1.221:8080/myapp/main.do
GET /myapp/main.do HTTP/1.1
Host: 192.168.1.221:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17)
Gecko/20110121 Firefox/3.5.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.1.221:8080/myapp/login.do
Cookie: cookieSetting=on; JSESSIONID=DFCFC082E310C98C61C0CE956609893E
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
