The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is webSpider really finding anything:
w3af>>> http-settings w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt w3af/config:http-settings>>> back w3af>>> target w3af/config:target>>> set target http://[redacted]/ w3af/config:target>>> back w3af/plugins>>> audit xss, sqli, blindSqli w3af/plugins>>> discovery webSpider w3af/plugins>>> back w3af>>> start Auto-enabling plugin: grep.error500 Auto-enabling plugin: grep.httpAuthDetect The following is a list of broken links that were found by the webSpider plugin: - http://[redacted]/ [ referenced from: http://[redacted]/ ] Found 1 URLs and 1 different points of injection. The list of URLs is: - http://[redacted]/ The list of fuzzable requests is: - http://[redacted]/ | Method: GET Finished scanning process. w3af>>> version w3af - Web Application Attack and Audit Framework Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) Author: Andres Riancho and the w3af team. Thanks, Shawn On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <[email protected]> wrote: > Looks like it's gonna be a major pain continuing to do this on > freebsd, since freebsd uses python 2.7 by default. w3af depends on > 2.6. I'll spin up a linux VM and see if it exhibits the same behavior. > > On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <[email protected]> wrote: >> Hey Shawn, >> >> You can start with installing our last version [0] and tell us if that >> still happens. >> >> Regards, >> >> Javier >> >> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/ >> >> >> >> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <[email protected]> wrote: >>> I'm testing using w3af against my employer's development sites. We use >>> a load balancer based on nginx and haproxy which sets cookies to >>> forward (and keep) the user's browser to a specific lighttpd server. I >>> exported firefox's cookies for our site and am using that with w3af. >>> After running w3af, I see no hits in my lighttpd server's logfiles, >>> which makes be believe w3af isn't respecting the cookieJarFile >>> setting. Is there something other than simply setting that config >>> variable to the file that I should be doing? I just installed w3af on >>> freebsd via ports. >>> >>> w3af version info: Version: 1.0-rc4 (from tgz) >>> >>> Thanks, >>> >>> Shawn >>> >>> ------------------------------------------------------------------------------ >>> All the data continuously generated in your IT infrastructure >>> contains a definitive record of customers, application performance, >>> security threats, fraudulent activity, and more. Splunk takes this >>> data and makes sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-novd2d >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> > ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
