Shafeeque, On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail] <[email protected]> wrote: > Dear Andres, > > Thank you for your quick reply. > > I will check the links given for testing w3af framework. > > Some observations from my testing. They are not major, kindly note that I > may be wrong, you are welcome to guide me! The points are below. > > > 1. Once a full fledged scan is started, if we are trying to stop, the scan > never terminate, the GUI need to be forced to close. This is very annoying > to the user.
Yes, that's a known issue that we've had for a while. I'm not sure if it's in the issue tracker though. Please report it if you don't find it. > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the permission > set for my /var/www directory is root:root, interestingly no blind_sqli, lfi > is found, I made the permission as root:www-data and then I did the scan it > gave me bunch of blind_sqli vulnerabilities detected and along with one lfi > vulnerabilities. I'm not a DVWA user, so I really don't know what's going on there. > 3. I tried to exploit the local_file_reader exploit detected and I got the > following error > > Exploiting 'local_file_reader'... > 1 vulnerabilites to exploit > Checking suitability for vuln 'Local file inclusion vulnerability'... > ok > Exploiting... > Cut algorithm error: len(header+footer)>len(body). That should never happen I think :D We should check that, but it's very low priority If you can send me a way to reproduce that without depending on a DVWA setup, that would be awesome > Done > > I did : sudo chown root:www-data > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, able to get > the shell. Well, then it's not a w3af issue, it's a DVWA issue where you're enabling/disabling sections and vulnerabilities of the site which don't work because of specific permissions are required. > The shell appeared and then during running the payload > apache_version an exception occurred and it is logged as issue #530 in > github. Same as above, if you give me a way to reproduce without installing DVWA (just a PHP file) I'll work on it. > Typing in the shell was bit difficult, it was not smooth at all. Could you please elaborate more on that? > 4. Please see the issues #529, This is not a w3af bug. The php script triggered a 500 exception and we're letting you know about that > #525, See comment in issue tracker > #521 Fixed, thanks! > 5. what ever the exceptions has occurred I have logged this under > graytips/[email protected] , in github issue lists. I will recheck the > list and inform you if missed anything. > > 6. I am wondering why SQLi in the DVWA is not detected eventhoough I gave > the cookie file which is set the dvwa sceurity to low. With the same cookie > details, SQLMap is detecting the SQLi in dvwa. You should read the HTTP traffic output > 7. Few Items that are related to the profile saving in to different name, > need to recheck before i report. > > Hope my observations will help to improve w3af. > > > > > > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho <[email protected]> > wrote: >> >> Shafeeque, >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail] >> <[email protected]> wrote: >> > Hi, >> > >> > I have playing around with latest w3af and testing DVWA using this >> > tools. >> > >> > Some how I am failing to get the SQLi, injection vulnerabilities of DVWA >> > detected by w3af. I am able to get BlindSQLi bugs.. So I decided to >> > check >> > whether the SQLi is realling working (ofcourse it works) >> > >> > I understand that there was some unit testing scripts shipped with >> > earlier >> > w3af. I have seen this on SecurityDojo, however when I run the SQLi test >> > against the w3af unit testing scripts available in SecurityDojo, the >> > sqli is >> > not detected. >> > >> > I understand the problem is that the script to recreate the required >> > tables >> > create_tables.sqli is missing, hence the required tables are not created >> > properly. >> > >> > Would like to know whether the framework testing scrips are still valid >> > against the latest version of 3waf, if so where can I get the complete >> > working scripts. >> >> Well, if you really want to run unit-tests for w3af you'll need to >> install nosetests, more on this here [0]. The scripts you find in the >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right now >> we use things like this [1] to verify that our framework works. >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide >> [1] >> https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py >> >> > During my test I have found interesting observations on latest w3af. I >> > will >> > compile the lists and send this after reconfirming my experiments. >> > Meanwhile I look for the support to get the unit testing scripts. >> >> Intrigued to know what you've found :) >> >> > Thanks in advance. >> > >> > -- >> > Regards, >> > -S- >> > >> > >> > ------------------------------------------------------------------------------ >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >> > It's a free troubleshooting tool designed for production. >> > Get down to code-level detail for bottlenecks, with <2% overhead. >> > Download for free and get started troubleshooting in minutes. >> > >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> > _______________________________________________ >> > W3af-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Regards, > -S- -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
