Hi,
Cool :)
What is the security level of DVWA ?
--
Cordialement, Best regards,
Dominique Righetto
[email protected]
[email protected]
Twitter: @righettod
GPG: 0x323D19BA
http://www.righettod.eu
"No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced."
On Mon, Aug 5, 2013 at 9:00 PM, Shafeeque O.K [gmail]
<[email protected]>wrote:
> Hi Dom,
>
> Finally I got : Login success for admin/password
>
> Could not Identify where the problem is. I did a fresh installation of
> w3af on my kali box.. got the login success. However w3af did not detect
> any SQLi . I have enabled the BlindSQLi, SQLi, xss audit plugins. any guess?
>
> Thanks very much for your guidance.
>
>
> On Mon, Aug 5, 2013 at 10:46 PM, Shafeeque O.K [gmail] <
> [email protected]> wrote:
>
>> WI did not do this, comparison. Please tell me the way to see the each
>> http request send by w3af. When verbose is on, console is cluttered. Is
>> there a way to write the request to a file?
>>
>>
>>
>>
>> On Mon, Aug 5, 2013 at 10:38 PM, Dominique Righetto <
>> [email protected]> wrote:
>>
>>> If you compare a request send with the script and a request send with a
>>> browser do you see some differences ?
>>>
>>> --
>>> Cordialement, Best regards,
>>> Dominique Righetto
>>> [email protected]
>>> [email protected]
>>> Twitter: @righettod
>>> GPG: 0x323D19BA
>>> http://www.righettod.eu
>>> "No trees were killed to send this message, but a large number of
>>> electrons were terribly inconvenienced."
>>>
>>>
>>> On Mon, Aug 5, 2013 at 11:47 AM, Shafeeque O.K [gmail] <
>>> [email protected]> wrote:
>>>
>>>> Hi Dom,
>>>>
>>>> I think, I can see the raw format when I interpreted through webscarab
>>>> as follows.
>>>>
>>>> POST http://localhost:80/dvwa/login.php HTTP/1.1
>>>> Host: localhost
>>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0)
>>>> Gecko/20100101Firefox/22.0 Iceweasel/22.0
>>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Language: en-US,en;q=0.5
>>>> Accept-Encoding: gzip, deflate
>>>> Referer: http://localhost/dvwa/login.php
>>>> Cookie: security=low; PHPSESSID=4na6citmalocq8agjndeb88h41
>>>> Connection: keep-alive
>>>> Content-Type: application/x-www-form-urlencoded
>>>> Content-length: 44
>>>>
>>>> username=admin&password=password&Login=Login
>>>>
>>>>
>>>> Hope this helps to trouble shoot.
>>>>
>>>>
>>>> On Mon, Aug 5, 2013 at 2:40 PM, Dominique Righetto <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> The request parameter format "username=%U&password=%P&Login=Login" are
>>>>> still vallid for your version of DVWA for the login page ?
>>>>>
>>>>> Dom
>>>>>
>>>>> --
>>>>> Cordialement, Best regards,
>>>>> Dominique Righetto
>>>>> [email protected]
>>>>> [email protected]
>>>>> Twitter: @righettod
>>>>> GPG: 0x323D19BA
>>>>> http://www.righettod.eu
>>>>> "No trees were killed to send this message, but a large number of
>>>>> electrons were terribly inconvenienced."
>>>>>
>>>>>
>>>>> On Mon, Aug 5, 2013 at 7:53 AM, Shafeeque O.K [gmail] <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am trying to run using the console and GUI version of a w3af, an
>>>>>> automated testing against the dvwa version DVWA-1.0.8.
>>>>>>
>>>>>> The script is below.
>>>>>>
>>>>>> #
>>>>>> -----------------------------------------------------------------------------------------------------------
>>>>>> #Configure HTTP settings
>>>>>> http-settings
>>>>>> set timeout 30
>>>>>> back
>>>>>> #Configure scanner global behaviors
>>>>>> plugins
>>>>>> #Configure entry point (CRAWLING) scanner
>>>>>> crawl web_spider
>>>>>> crawl config web_spider
>>>>>> set only_forward False
>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>> back
>>>>>> #Configure vulnerability scanners
>>>>>> ##Specify list of AUDIT plugins type to use
>>>>>> audit blind_sqli,sqli,xss
>>>>>> ##Customize behavior of each audit plugin when needed
>>>>>>
>>>>>> ##Specify list of GREP plugins type to use (grep plugin is a type of
>>>>>> plugin that can find also vulnerabilities or informations disclosure)
>>>>>>
>>>>>> ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure
>>>>>> plugin is a type of plugin that can find informations disclosure)
>>>>>>
>>>>>> #Configure target authentication
>>>>>> auth detailed
>>>>>> auth config detailed
>>>>>> set username admin
>>>>>> set password password
>>>>>> set method POST
>>>>>> set auth_url http://localhost/dvwa/login.php
>>>>>> set username_field username
>>>>>> set password_field password
>>>>>> set check_url http://localhost/dvwa/index.php
>>>>>> set check_string 'admin'
>>>>>> set data_format username=%U&password=%P&Login=Login
>>>>>> back
>>>>>> #Configure reporting in order to generate an HTML report
>>>>>> output console, html_file
>>>>>> output config html_file
>>>>>> set output_file /tmp/W3afrpt.html
>>>>>> set verbose True
>>>>>> back
>>>>>> output config console
>>>>>> set verbose False
>>>>>> back
>>>>>> back
>>>>>> #Set target informations, do a cleanup and run the scan
>>>>>> target
>>>>>> set target http://localhost/dvwa
>>>>>> set target_os unix
>>>>>> set target_framework php
>>>>>> back
>>>>>> cleanup
>>>>>> start
>>>>>>
>>>>>> Observed the following:
>>>>>>
>>>>>> Can't login into web application as admin/password
>>>>>>
>>>>>> My OS : Kali
>>>>>>
>>>>>> Please guide.
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> -S-
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Get your SQL database under version control now!
>>>>>> Version control is standard for application code, but databases havent
>>>>>> caught up. So what steps can you take to put your SQL databases under
>>>>>> version control? Why should you start doing it? Read more to find out.
>>>>>>
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
>>>>>> _______________________________________________
>>>>>> W3af-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> -S-
>>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> -S-
>>
>
>
>
> --
> Regards,
> -S-
>
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
