OK,
1- open shell and get root privilege
2- ./w3af_gui
3- enable the following plugins :
audit{blind_sqli - buffer_overflow - cors_origin - csrf - dav - eval -
format_string - frontpage - generic - htaccess_method - ldapi - lfi -
mx_injection - os_commanding - phishing_vector - redos - response_splitting
- rfi - sqli - ssi - xpath - xss - xst}
crawl { dot_listing - find_backdoors - find_dvcs - phishtank -
ria_enumerator - robots_txt - sitemap_xml - web_spider}
grep { ajax - analyze_cookie - blank_body - click_jacking - code_disclosure
- cross_domain_js - csp - directory_indexing - dom_xss - error_500 -
error_pages - file_upload - form_autocomplete - get_emails - hash_analysis
- html_comments - http_auth_detect - http_in_body - lang - meta_tags -
objects - path_disclosure - strange_headers - stange_http_codes -
strange_parameters - starnge_reason - symfony - url_session - wsdl_greper -
xss_protection_header }
infrastructure { allawed_methods - frontpage_version - server_header }
output { console - export_requests - html_file }
4- change Configuration->http Config -> General -> headers_file from empty
to file path containing a cookie
5- change Configuration->http Config ->Cookies - >ignore_session_cookie
from false to true
6- Target { http://127.0.0.1:3000/ }
7- Start
8- crash
I hope that is fine
On Wed, Apr 10, 2013 at 5:07 PM, Andres Riancho <[email protected]>wrote:
> Ok, now it gets interesting... could you please tell me how to
> reproduce the bug? For example:
>
> 1- ./w3af_gui
> 2- Click on X
> 3- Type ...
> 4- Click Start
> 5- Crash
>
> With that, I'll try to reproduce and fix,
>
> On Wed, Apr 10, 2013 at 11:32 AM, Mostafa Kamel
> <[email protected]> wrote:
> > now I am using threading2
> > but still I have the same error
> >
> >
> > On Wed, Apr 10, 2013 at 2:20 PM, Andres Riancho <
> [email protected]>
> > wrote:
> >>
> >> Please use the latest version which is available in the threading2
> >> branch. Here is how to do it:
> >> http://w3af.org/beta-testers-wanted
> >>
> >> I think I'll merge to master today/tomorrow, meanwhile please use
> >> threading2.
> >>
> >> On Wed, Apr 10, 2013 at 9:19 AM, Mostafa Kamel
> >> <[email protected]> wrote:
> >> > w3af - Web Application Attack and Audit Framework
> >> > Version: 1.2
> >> > Revision: unknown
> >> > Author: Andres Riancho and the w3af team.
> >> >
> >> > I download it yesterday using this
> >> >
> >> > git clone https://github.com/andresriancho/w3af.git
> >> >
> >> >
> >> >
> >> > On Wed, Apr 10, 2013 at 2:13 PM, Andres Riancho
> >> > <[email protected]>
> >> > wrote:
> >> >>
> >> >> Which w3af version are you using? Here on my workstation it says:
> >> >>
> >> >> pablo@eulogia:~/workspace/w3af$ ./w3af_console --version
> >> >> w3af - Web Application Attack and Audit Framework
> >> >> Version: 1.5
> >> >> Revision: a708fc6901 - 09 Apr 2013 17:19
> >> >> Author: Andres Riancho and the w3af team.
> >> >>
> >> >> On Wed, Apr 10, 2013 at 8:36 AM, Mostafa Kamel
> >> >> <[email protected]> wrote:
> >> >> > my python version is 2.7.3
> >> >> > also I tried to use w3af_console and every thing is OK
> >> >> >
> >> >> >
> >> >> > On Wed, Apr 10, 2013 at 10:28 AM, Mostafa Kamel
> >> >> > <[email protected]>
> >> >> > wrote:
> >> >> >>
> >> >> >> Andres,
> >> >> >> I used W3af in 2 operating systems trying to find security issues
> in
> >> >> >> my
> >> >> >> webapp on local host ,it is ruby on rails app running on webrick
> >> >> >> server.
> >> >> >> I needed to run authenticated scan so I use HTTP Conf->General ->
> >> >> >> Headerfile to add authenticated cookie in the HTTP headers , also
> I
> >> >> >> enabled
> >> >> >> " webspider plugin " and for output I enabled verbose on console
> >> >> >> then I
> >> >> >> scanned :-
> >> >> >>
> >> >> >> 1- On BackTrack5 : w3af is just crashed and closed left only the
> >> >> >> error
> >> >> >> message on console
> >> >> >> 2- On fedora: w3af opened a new window with title "Dot Viewer"
> >> >> >> carried
> >> >> >> the
> >> >> >> same error message and in the console the error message appeared
> but
> >> >> >> it
> >> >> >> continue scan process till the end, after it done I wasn't able to
> >> >> >> interact
> >> >> >> with w3af_gui or the error window
> >> >> >>
> >> >> >> if you need any other details please tell me
> >> >> >>
> >> >> >>
> >> >> >> On Tue, Apr 9, 2013 at 6:07 PM, Andres Riancho
> >> >> >> <[email protected]>
> >> >> >> wrote:
> >> >> >>>
> >> >> >>> Mostafa,
> >> >> >>>
> >> >> >>> Doesn't look like anything I've seen before. Please send us
> all
> >> >> >>> the information necessary to reproduce in our environment,
> >> >> >>>
> >> >> >>> On Tue, Apr 9, 2013 at 12:12 PM, Mostafa Kamel
> >> >> >>> <[email protected]> wrote:
> >> >> >>> > Hello everyone
> >> >> >>> > please I need help with this error , which make w3af craches
> >> >> >>> >
> >> >> >>> > Warning: <stdin>:2: string ran past end of line
> >> >> >>> > Warning: <stdin>:3: string ran past end of line
> >> >> >>> > Error: <stdin>:3: syntax error near line 3
> >> >> >>> > context: "<GtkTreeIter at 0x583c220>" >>> -- <<<
> "<GtkTreeIter
> >> >> >>> > at
> >> >> >>> > 0x5832920>"}w3af_gui: Fatal IO error 11 (Resource temporarily
> >> >> >>> > unavailable)
> >> >> >>> > on X server :0.
> >> >> >>> >
> >> >> >>> >
> >> >> >>> >
> >> >> >>> >
> >> >> >>> >
> ------------------------------------------------------------------------------
> >> >> >>> > Precog is a next-generation analytics platform capable of
> >> >> >>> > advanced
> >> >> >>> > analytics on semi-structured data. The platform includes APIs
> for
> >> >> >>> > building
> >> >> >>> > apps and a phenomenal toolset for data science. Developers can
> >> >> >>> > use
> >> >> >>> > our toolset for easy data analysis & visualization. Get a free
> >> >> >>> > account!
> >> >> >>> > http://www2.precog.com/precogplatform/slashdotnewsletter
> >> >> >>> > _______________________________________________
> >> >> >>> > W3af-users mailing list
> >> >> >>> > [email protected]
> >> >> >>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >> >> >>> >
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> --
> >> >> >>> Andrés Riancho
> >> >> >>> Project Leader at w3af - http://w3af.org/
> >> >> >>> Web Application Attack and Audit Framework
> >> >> >>> Twitter: @w3af
> >> >> >>> GPG: 0x93C344F3
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >>
> >> >> >> Best Regards,
> >> >> >>
> >> >> >> Mostafa Kamel
> >> >> >>
> >> >> >> Software Engineer
> >> >> >>
> >> >> >> Fawry Integrated Systems
> >> >> >>
> >> >> >> Address: El Salam Tower- Eigth Floor- Beside El Salam Hospital
> >> >> >>
> >> >> >> Corniche el Nil, Maadi Cairo
> >> >> >>
> >> >> >> Mob: +2012 2041 6632
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> >
> >> >> > Best Regards,
> >> >> >
> >> >> > Mostafa Kamel
> >> >> >
> >> >> > Software Engineer
> >> >> >
> >> >> > Fawry Integrated Systems
> >> >> >
> >> >> > Address: El Salam Tower- Eigth Floor- Beside El Salam Hospital
> >> >> >
> >> >> > Corniche el Nil, Maadi Cairo
> >> >> >
> >> >> > Mob: +2012 2041 6632
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Andrés Riancho
> >> >> Project Leader at w3af - http://w3af.org/
> >> >> Web Application Attack and Audit Framework
> >> >> Twitter: @w3af
> >> >> GPG: 0x93C344F3
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > Best Regards,
> >> >
> >> > Mostafa Kamel
> >> >
> >> > Software Engineer
> >> >
> >> > Fawry Integrated Systems
> >> >
> >> > Address: El Salam Tower- Eigth Floor- Beside El Salam Hospital
> >> >
> >> > Corniche el Nil, Maadi Cairo
> >> >
> >> > Mob: +2012 2041 6632
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
> >
> >
> > --
> >
> > Best Regards,
> >
> > Mostafa Kamel
> >
> > Software Engineer
> >
> > Fawry Integrated Systems
> >
> > Address: El Salam Tower- Eigth Floor- Beside El Salam Hospital
> >
> > Corniche el Nil, Maadi Cairo
> >
> > Mob: +2012 2041 6632
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
--
Best Regards*,*
*Mostafa Kamel*
*Software Engineer*
*Fawry Integrated Systems*
*Address*: El Salam Tower- Eigth Floor- Beside El Salam Hospital
Corniche el Nil, Maadi Cairo
*Mob: *+2012 2041 6632
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
