Shawn,
While w3af is officially supported under 2.6 it should work as
expected in 2.7 (let us know if it doesn't).
Regards,
On Mon, Nov 21, 2011 at 8:19 PM, Shawn Webb <[email protected]> wrote:
> Just tried. Looks like it's not liking that the whole world has moved
> on beyond python 2.6. I even changed the shebang line to match the
> python2.6 binary and the latest w3af still complains about only being
> supported in python 2.6, even though it is running in python 2.6.
>
> On Mon, Nov 21, 2011 at 4:17 PM, Andres Riancho
> <[email protected]> wrote:
>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
>>
>> That's a very old version. Could you please download the latest from
>> the w3af site?
>>
>> Regards,
>>
>> On Mon, Nov 21, 2011 at 8:12 PM, Shawn Webb <[email protected]> wrote:
>>> The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is
>>> webSpider really finding anything:
>>>
>>> w3af>>> http-settings
>>> w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt
>>> w3af/config:http-settings>>> back
>>> w3af>>> target
>>> w3af/config:target>>> set target http://[redacted]/
>>> w3af/config:target>>> back
>>> w3af/plugins>>> audit xss, sqli, blindSqli
>>> w3af/plugins>>> discovery webSpider
>>> w3af/plugins>>> back
>>> w3af>>> start
>>> Auto-enabling plugin: grep.error500
>>> Auto-enabling plugin: grep.httpAuthDetect
>>> The following is a list of broken links that were found by the webSpider
>>> plugin:
>>> - http://[redacted]/ [ referenced from: http://[redacted]/ ]
>>> Found 1 URLs and 1 different points of injection.
>>> The list of URLs is:
>>> - http://[redacted]/
>>> The list of fuzzable requests is:
>>> - http://[redacted]/ | Method: GET
>>> Finished scanning process.
>>> w3af>>> version
>>> w3af - Web Application Attack and Audit Framework
>>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
>>> Author: Andres Riancho and the w3af team.
>>>
>>> Thanks,
>>>
>>> Shawn
>>>
>>> On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <[email protected]> wrote:
>>>> Looks like it's gonna be a major pain continuing to do this on
>>>> freebsd, since freebsd uses python 2.7 by default. w3af depends on
>>>> 2.6. I'll spin up a linux VM and see if it exhibits the same behavior.
>>>>
>>>> On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <[email protected]> wrote:
>>>>> Hey Shawn,
>>>>>
>>>>> You can start with installing our last version [0] and tell us if that
>>>>> still happens.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Javier
>>>>>
>>>>> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <[email protected]> wrote:
>>>>>> I'm testing using w3af against my employer's development sites. We use
>>>>>> a load balancer based on nginx and haproxy which sets cookies to
>>>>>> forward (and keep) the user's browser to a specific lighttpd server. I
>>>>>> exported firefox's cookies for our site and am using that with w3af.
>>>>>> After running w3af, I see no hits in my lighttpd server's logfiles,
>>>>>> which makes be believe w3af isn't respecting the cookieJarFile
>>>>>> setting. Is there something other than simply setting that config
>>>>>> variable to the file that I should be doing? I just installed w3af on
>>>>>> freebsd via ports.
>>>>>>
>>>>>> w3af version info: Version: 1.0-rc4 (from tgz)
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Shawn
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> All the data continuously generated in your IT infrastructure
>>>>>> contains a definitive record of customers, application performance,
>>>>>> security threats, fraudulent activity, and more. Splunk takes this
>>>>>> data and makes sense of it. IT sense. And common sense.
>>>>>> http://p.sf.net/sfu/splunk-novd2d
>>>>>> _______________________________________________
>>>>>> W3af-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>>>
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> All the data continuously generated in your IT infrastructure
>>> contains a definitive record of customers, application performance,
>>> security threats, fraudulent activity, and more. Splunk takes this
>>> data and makes sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-novd2d
>>> _______________________________________________
>>> W3af-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
