Guillaume, On Tue, Aug 23, 2011 at 11:29 AM, Guillaume Rousse <[email protected]> wrote: > Hello list. > > I tried to use w3af on a web application for which I do have admin > credentials. I didn't found any way to specificy application-managed > credentials (by opposition to http authentication), so I tried two > different strategies: > > 1) using spiderman to authenticate manually, and let webspider proceed > thereafter > 2) using brute force brute force plugin with a credentials file > containing only one login/password (admin) > > But neither did work. > > For the the first method, the proxy seems to capture the cookie session, > but then fails to return the response to the browser correctly: > > [mar. 23 août 2011 16:16:21 CEST] > https://adt-lea.inria.fr:443/lea/j_spring_security_check | Method: POST > [mar. 23 août 2011 16:16:21 CEST] The remote web application sent the > following cookie: "JSESSIONID=9251223F16593FF313B8EBCA357B5A88; > Path=/lea; Secure". > w3af will use it during the rest of the process in order to maintain the > session. > [mar. 23 août 2011 16:16:21 CEST] Traceback for this error: Traceback > (most recent call last): > File "/usr/share/w3af/core/controllers/daemons/proxy.py", line 425, > in do_CONNECT > httpsServer.process_request(conWrap, self.client_address) > File "/usr/lib64/python2.7/SocketServer.py", line 311, in process_request > self.shutdown_request(request) > File "/usr/lib64/python2.7/SocketServer.py", line 459, in > shutdown_request > request.shutdown(socket.SHUT_WR) > TypeError: shutdown() takes exactly 0 arguments (1 given) > > I have to terminate spiderman session, to let webspider plugin continue, > but this one seems unable to reach any other page beyond this point, and > only find the links available from the login page. > > For the second method, the brute force plugin is activated, but doesn't > advertise any success: > [mar. 23 août 2011 16:24:23 CEST] Found a form login. The action of the > form is: "https://adt-lea.inria.fr/lea/j_spring_security_check";. > [mar. 23 août 2011 16:24:23 CEST] The username field to be used is: > "j_username". > [mar. 23 août 2011 16:24:23 CEST] The password field to be used is: > "j_password". > [mar. 23 août 2011 16:24:23 CEST] Starting form authentication > bruteforce on URL: "https://adt-lea.inria.fr/lea/j_spring_security_check";. > [mar. 23 août 2011 16:24:25 CEST] Finished bruteforcing > "https://adt-lea.inria.fr/lea/j_spring_security_check";. > > It's difficult to tell if authentication succeeded from this output: > [mar. 23 août 2011 16:25:07 CEST] The URL: > "https://adt-lea.inria.fr/lea/j_spring_security_check"; sent these cookies: > [mar. 23 août 2011 16:25:07 CEST] - > JSESSIONID=172C2BA5B54B223D17F4B4F54F8AA339; Path=/lea; Secure > [mar. 23 août 2011 16:25:07 CEST] The URL: "https://adt-lea.inria.fr/"; > sent these cookies: > [mar. 23 août 2011 16:25:07 CEST] - > JSESSIONID=BF66808767EC617C1B33ACBDC9FC8F9A; Path=/lea; Secure > > Anyway, the web spider doesn't find any additional URLs.
Try using Python2.6, we do not support 2.7 yet. > -- > BOFH excuse #197: > > I'm sorry a pentium won't do, you need an SGI to connect with us. > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
