w3af stops after scanning just a single page, even though the webSpider discovery plugin is enabled.
On Mon, Nov 21, 2011 at 5:29 PM, Andres Riancho <[email protected]> wrote: > Shawn, > > w3af shouldn't stop after that warning, is it? > > On Mon, Nov 21, 2011 at 9:25 PM, Shawn Webb <[email protected]> wrote: >> I guess that's what I'm reporting. >> >> On Nov 21, 2011 5:11 PM, "Andres Riancho" <[email protected]> wrote: >>> >>> Shawn, >>> >>> While w3af is officially supported under 2.6 it should work as >>> expected in 2.7 (let us know if it doesn't). >>> >>> Regards, >>> >>> On Mon, Nov 21, 2011 at 8:19 PM, Shawn Webb <[email protected]> wrote: >>> > Just tried. Looks like it's not liking that the whole world has moved >>> > on beyond python 2.6. I even changed the shebang line to match the >>> > python2.6 binary and the latest w3af still complains about only being >>> > supported in python 2.6, even though it is running in python 2.6. >>> > >>> > On Mon, Nov 21, 2011 at 4:17 PM, Andres Riancho >>> > <[email protected]> wrote: >>> >> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >>> >> >>> >> That's a very old version. Could you please download the latest from >>> >> the w3af site? >>> >> >>> >> Regards, >>> >> >>> >> On Mon, Nov 21, 2011 at 8:12 PM, Shawn Webb <[email protected]> wrote: >>> >>> The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is >>> >>> webSpider really finding anything: >>> >>> >>> >>> w3af>>> http-settings >>> >>> w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt >>> >>> w3af/config:http-settings>>> back >>> >>> w3af>>> target >>> >>> w3af/config:target>>> set target http://[redacted]/ >>> >>> w3af/config:target>>> back >>> >>> w3af/plugins>>> audit xss, sqli, blindSqli >>> >>> w3af/plugins>>> discovery webSpider >>> >>> w3af/plugins>>> back >>> >>> w3af>>> start >>> >>> Auto-enabling plugin: grep.error500 >>> >>> Auto-enabling plugin: grep.httpAuthDetect >>> >>> The following is a list of broken links that were found by the >>> >>> webSpider plugin: >>> >>> - http://[redacted]/ [ referenced from: http://[redacted]/ ] >>> >>> Found 1 URLs and 1 different points of injection. >>> >>> The list of URLs is: >>> >>> - http://[redacted]/ >>> >>> The list of fuzzable requests is: >>> >>> - http://[redacted]/ | Method: GET >>> >>> Finished scanning process. >>> >>> w3af>>> version >>> >>> w3af - Web Application Attack and Audit Framework >>> >>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >>> >>> Author: Andres Riancho and the w3af team. >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Shawn >>> >>> >>> >>> On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <[email protected]> wrote: >>> >>>> Looks like it's gonna be a major pain continuing to do this on >>> >>>> freebsd, since freebsd uses python 2.7 by default. w3af depends on >>> >>>> 2.6. I'll spin up a linux VM and see if it exhibits the same >>> >>>> behavior. >>> >>>> >>> >>>> On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <[email protected]> >>> >>>> wrote: >>> >>>>> Hey Shawn, >>> >>>>> >>> >>>>> You can start with installing our last version [0] and tell us if >>> >>>>> that >>> >>>>> still happens. >>> >>>>> >>> >>>>> Regards, >>> >>>>> >>> >>>>> Javier >>> >>>>> >>> >>>>> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/ >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <[email protected]> >>> >>>>> wrote: >>> >>>>>> I'm testing using w3af against my employer's development sites. We >>> >>>>>> use >>> >>>>>> a load balancer based on nginx and haproxy which sets cookies to >>> >>>>>> forward (and keep) the user's browser to a specific lighttpd >>> >>>>>> server. I >>> >>>>>> exported firefox's cookies for our site and am using that with >>> >>>>>> w3af. >>> >>>>>> After running w3af, I see no hits in my lighttpd server's logfiles, >>> >>>>>> which makes be believe w3af isn't respecting the cookieJarFile >>> >>>>>> setting. Is there something other than simply setting that config >>> >>>>>> variable to the file that I should be doing? I just installed w3af >>> >>>>>> on >>> >>>>>> freebsd via ports. >>> >>>>>> >>> >>>>>> w3af version info: Version: 1.0-rc4 (from tgz) >>> >>>>>> >>> >>>>>> Thanks, >>> >>>>>> >>> >>>>>> Shawn >>> >>>>>> >>> >>>>>> >>> >>>>>> ------------------------------------------------------------------------------ >>> >>>>>> All the data continuously generated in your IT infrastructure >>> >>>>>> contains a definitive record of customers, application performance, >>> >>>>>> security threats, fraudulent activity, and more. Splunk takes this >>> >>>>>> data and makes sense of it. IT sense. And common sense. >>> >>>>>> http://p.sf.net/sfu/splunk-novd2d >>> >>>>>> _______________________________________________ >>> >>>>>> W3af-users mailing list >>> >>>>>> [email protected] >>> >>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>>>>> >>> >>>>> >>> >>>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> All the data continuously generated in your IT infrastructure >>> >>> contains a definitive record of customers, application performance, >>> >>> security threats, fraudulent activity, and more. Splunk takes this >>> >>> data and makes sense of it. IT sense. And common sense. >>> >>> http://p.sf.net/sfu/splunk-novd2d >>> >>> _______________________________________________ >>> >>> W3af-users mailing list >>> >>> [email protected] >>> >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >>> >> >>> >> >>> >> >>> >> -- >>> >> Andrés Riancho >>> >> Director of Web Security at Rapid7 LLC >>> >> Founder at Bonsai Information Security >>> >> Project Leader at w3af >>> >> >>> > >>> >>> >>> >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
