Re: [W3af-users] Server sends different session cookie with each response

Fri, 19 Aug 2011 05:04:25 -0700 

Vishal,

On Fri, Aug 19, 2011 at 4:51 AM, Vishal <[email protected]> wrote:
> Hi,
>
>    If an application sends different session cookie with each response
> after validating the first one. Can w3af maintain the session during its
> scans?

    That's a very interesting question to ask! After reading the code
for a while, I realized that we don't but it seems to be very simple
to change that. If you've got the time, just try the following:

* Run a scan against that web application using the latest version of
w3af. Capture HTTP requests with wireshark or any other tool for
debugging.
* In frFactory.py, comment the following lines:
"qsr.setCookie(cookieObj)" and "r.setCookie(cookieObj)"
* Run a scan with those modifications and let me know how it went.

    My idea is that if we remove the header, the HTTPCookieProcessor
will work its magic (see urllib2.py:1180) and everything should work
as expected.

    Let us know how the test went, so we can apply this to our SVN and
everyone gets this new feature :)

Regards,

> Thanks,
> Vishal
>
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
> user administration capabilities and model configuration. Take
> the hassle out of deploying and managing Subversion and the
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to