Hello list. I tried to use w3af on a web application for which I do have admin credentials. I didn't found any way to specificy application-managed credentials (by opposition to http authentication), so I tried two different strategies:
1) using spiderman to authenticate manually, and let webspider proceed thereafter 2) using brute force brute force plugin with a credentials file containing only one login/password (admin) But neither did work. For the the first method, the proxy seems to capture the cookie session, but then fails to return the response to the browser correctly: [mar. 23 août 2011 16:16:21 CEST] https://adt-lea.inria.fr:443/lea/j_spring_security_check | Method: POST [mar. 23 août 2011 16:16:21 CEST] The remote web application sent the following cookie: "JSESSIONID=9251223F16593FF313B8EBCA357B5A88; Path=/lea; Secure". w3af will use it during the rest of the process in order to maintain the session. [mar. 23 août 2011 16:16:21 CEST] Traceback for this error: Traceback (most recent call last): File "/usr/share/w3af/core/controllers/daemons/proxy.py", line 425, in do_CONNECT httpsServer.process_request(conWrap, self.client_address) File "/usr/lib64/python2.7/SocketServer.py", line 311, in process_request self.shutdown_request(request) File "/usr/lib64/python2.7/SocketServer.py", line 459, in shutdown_request request.shutdown(socket.SHUT_WR) TypeError: shutdown() takes exactly 0 arguments (1 given) I have to terminate spiderman session, to let webspider plugin continue, but this one seems unable to reach any other page beyond this point, and only find the links available from the login page. For the second method, the brute force plugin is activated, but doesn't advertise any success: [mar. 23 août 2011 16:24:23 CEST] Found a form login. The action of the form is: "https://adt-lea.inria.fr/lea/j_spring_security_check";. [mar. 23 août 2011 16:24:23 CEST] The username field to be used is: "j_username". [mar. 23 août 2011 16:24:23 CEST] The password field to be used is: "j_password". [mar. 23 août 2011 16:24:23 CEST] Starting form authentication bruteforce on URL: "https://adt-lea.inria.fr/lea/j_spring_security_check";. [mar. 23 août 2011 16:24:25 CEST] Finished bruteforcing "https://adt-lea.inria.fr/lea/j_spring_security_check";. It's difficult to tell if authentication succeeded from this output: [mar. 23 août 2011 16:25:07 CEST] The URL: "https://adt-lea.inria.fr/lea/j_spring_security_check"; sent these cookies: [mar. 23 août 2011 16:25:07 CEST] - JSESSIONID=172C2BA5B54B223D17F4B4F54F8AA339; Path=/lea; Secure [mar. 23 août 2011 16:25:07 CEST] The URL: "https://adt-lea.inria.fr/"; sent these cookies: [mar. 23 août 2011 16:25:07 CEST] - JSESSIONID=BF66808767EC617C1B33ACBDC9FC8F9A; Path=/lea; Secure Anyway, the web spider doesn't find any additional URLs. -- BOFH excuse #197: I'm sorry a pentium won't do, you need an SGI to connect with us. ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
