Shawn,
Could you please send me the URL in a private email so I can try
to reproduce your issue?
On Mon, Nov 21, 2011 at 10:32 PM, Shawn Webb <[email protected]> wrote:
> w3af stops after scanning just a single page, even though the
> webSpider discovery plugin is enabled.
>
> On Mon, Nov 21, 2011 at 5:29 PM, Andres Riancho
> <[email protected]> wrote:
>> Shawn,
>>
>> w3af shouldn't stop after that warning, is it?
>>
>> On Mon, Nov 21, 2011 at 9:25 PM, Shawn Webb <[email protected]> wrote:
>>> I guess that's what I'm reporting.
>>>
>>> On Nov 21, 2011 5:11 PM, "Andres Riancho" <[email protected]> wrote:
>>>>
>>>> Shawn,
>>>>
>>>> While w3af is officially supported under 2.6 it should work as
>>>> expected in 2.7 (let us know if it doesn't).
>>>>
>>>> Regards,
>>>>
>>>> On Mon, Nov 21, 2011 at 8:19 PM, Shawn Webb <[email protected]> wrote:
>>>> > Just tried. Looks like it's not liking that the whole world has moved
>>>> > on beyond python 2.6. I even changed the shebang line to match the
>>>> > python2.6 binary and the latest w3af still complains about only being
>>>> > supported in python 2.6, even though it is running in python 2.6.
>>>> >
>>>> > On Mon, Nov 21, 2011 at 4:17 PM, Andres Riancho
>>>> > <[email protected]> wrote:
>>>> >> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
>>>> >>
>>>> >> That's a very old version. Could you please download the latest from
>>>> >> the w3af site?
>>>> >>
>>>> >> Regards,
>>>> >>
>>>> >> On Mon, Nov 21, 2011 at 8:12 PM, Shawn Webb <[email protected]> wrote:
>>>> >>> The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is
>>>> >>> webSpider really finding anything:
>>>> >>>
>>>> >>> w3af>>> http-settings
>>>> >>> w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt
>>>> >>> w3af/config:http-settings>>> back
>>>> >>> w3af>>> target
>>>> >>> w3af/config:target>>> set target http://[redacted]/
>>>> >>> w3af/config:target>>> back
>>>> >>> w3af/plugins>>> audit xss, sqli, blindSqli
>>>> >>> w3af/plugins>>> discovery webSpider
>>>> >>> w3af/plugins>>> back
>>>> >>> w3af>>> start
>>>> >>> Auto-enabling plugin: grep.error500
>>>> >>> Auto-enabling plugin: grep.httpAuthDetect
>>>> >>> The following is a list of broken links that were found by the
>>>> >>> webSpider plugin:
>>>> >>> - http://[redacted]/ [ referenced from: http://[redacted]/ ]
>>>> >>> Found 1 URLs and 1 different points of injection.
>>>> >>> The list of URLs is:
>>>> >>> - http://[redacted]/
>>>> >>> The list of fuzzable requests is:
>>>> >>> - http://[redacted]/ | Method: GET
>>>> >>> Finished scanning process.
>>>> >>> w3af>>> version
>>>> >>> w3af - Web Application Attack and Audit Framework
>>>> >>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
>>>> >>> Author: Andres Riancho and the w3af team.
>>>> >>>
>>>> >>> Thanks,
>>>> >>>
>>>> >>> Shawn
>>>> >>>
>>>> >>> On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <[email protected]> wrote:
>>>> >>>> Looks like it's gonna be a major pain continuing to do this on
>>>> >>>> freebsd, since freebsd uses python 2.7 by default. w3af depends on
>>>> >>>> 2.6. I'll spin up a linux VM and see if it exhibits the same
>>>> >>>> behavior.
>>>> >>>>
>>>> >>>> On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <[email protected]>
>>>> >>>> wrote:
>>>> >>>>> Hey Shawn,
>>>> >>>>>
>>>> >>>>> You can start with installing our last version [0] and tell us if
>>>> >>>>> that
>>>> >>>>> still happens.
>>>> >>>>>
>>>> >>>>> Regards,
>>>> >>>>>
>>>> >>>>> Javier
>>>> >>>>>
>>>> >>>>> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <[email protected]>
>>>> >>>>> wrote:
>>>> >>>>>> I'm testing using w3af against my employer's development sites. We
>>>> >>>>>> use
>>>> >>>>>> a load balancer based on nginx and haproxy which sets cookies to
>>>> >>>>>> forward (and keep) the user's browser to a specific lighttpd
>>>> >>>>>> server. I
>>>> >>>>>> exported firefox's cookies for our site and am using that with
>>>> >>>>>> w3af.
>>>> >>>>>> After running w3af, I see no hits in my lighttpd server's logfiles,
>>>> >>>>>> which makes be believe w3af isn't respecting the cookieJarFile
>>>> >>>>>> setting. Is there something other than simply setting that config
>>>> >>>>>> variable to the file that I should be doing? I just installed w3af
>>>> >>>>>> on
>>>> >>>>>> freebsd via ports.
>>>> >>>>>>
>>>> >>>>>> w3af version info: Version: 1.0-rc4 (from tgz)
>>>> >>>>>>
>>>> >>>>>> Thanks,
>>>> >>>>>>
>>>> >>>>>> Shawn
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>> ------------------------------------------------------------------------------
>>>> >>>>>> All the data continuously generated in your IT infrastructure
>>>> >>>>>> contains a definitive record of customers, application performance,
>>>> >>>>>> security threats, fraudulent activity, and more. Splunk takes this
>>>> >>>>>> data and makes sense of it. IT sense. And common sense.
>>>> >>>>>> http://p.sf.net/sfu/splunk-novd2d
>>>> >>>>>> _______________________________________________
>>>> >>>>>> W3af-users mailing list
>>>> >>>>>> [email protected]
>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>> >>>>>>
>>>> >>>>>
>>>> >>>>
>>>> >>>
>>>> >>>
>>>> >>> ------------------------------------------------------------------------------
>>>> >>> All the data continuously generated in your IT infrastructure
>>>> >>> contains a definitive record of customers, application performance,
>>>> >>> security threats, fraudulent activity, and more. Splunk takes this
>>>> >>> data and makes sense of it. IT sense. And common sense.
>>>> >>> http://p.sf.net/sfu/splunk-novd2d
>>>> >>> _______________________________________________
>>>> >>> W3af-users mailing list
>>>> >>> [email protected]
>>>> >>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>> >>>
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Andrés Riancho
>>>> >> Director of Web Security at Rapid7 LLC
>>>> >> Founder at Bonsai Information Security
>>>> >> Project Leader at w3af
>>>> >>
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Director of Web Security at Rapid7 LLC
>>>> Founder at Bonsai Information Security
>>>> Project Leader at w3af
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
