Dave, On Thu, Aug 15, 2013 at 10:27 PM, Dave Douglas <[email protected]> wrote: > Hello, > > I am trying to scan an application built in Oracle ADF using w3af. I know > that there is a plugin to get me past the authentication, but I do not > understand how to make w3af scan the rest of the application, because all of > the requests use things like javax.faces.ViewState and many other parameters > which must submit values that were sent in previous responses from the > server. So for instance, request A returns response A. Response A contains > a value that I must then use as the value for a parameter in request B. > Otherwise, request B will fail. Is there a way for w3af to work with this > level of parameterization in requests? > > I have been trying for some time to find a way, and Googling to no avail. > Please just point me in the right direction. I'm willing to spend time to > get it working, I just need someone to give me a starting point of where to > look.
Sadly I think that w3af won't work well with applications like the one you're describing. We don't support anti-CSRF tokens (which seems to be what you're describing). > If there is no way to do this, then does w3af support me just manually > navigating to certain parts of the app, and having it scan that, and then I > can manually navigate to another part, etc.? That can be done, take a look at the crawl plugin spider_man > Thanks so much! > > - Dave > > > > Dave Douglas > > Software Quality Assurance Analyst | AIReS > > 1.888.828.8515 x1859 | 724.601.1051 (mobile) > > [email protected] > > > The information contained in this e-mail and any accompanying documents may > contain information that is confidential or otherwise protected from > disclosure. If you are not the intended recipient of this message, or if > this message has been addressed to you in error, please immediately alert > the sender by reply e-mail and then delete this message, including any > attachments. Any dissemination, distribution or other use of the contents of > this message by anyone other than the intended recipient is strictly > prohibited. > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
