Hi, I seem to have run into an app for which I cannot figure out what parameters to use in the auth configuration. Below are the log from w3af and the POST of the login (both sanitized for my protection). Any hints as to what to use, I think, for the parameters (which don't seem to be passed as w3af expects)? Or how to configure w3af for this type of app (the authentication is from IBM SIM/SAM and used webseal).
Thank you!! Log and POST: LOG: [Mon 07 Oct 2013 04:07:35 PM EDT] Cross Site Request Forgery has been found at: https://www.MyDomain.com/qlntlogin.form. This vulnerability was found in the request with id 82. [Mon 07 Oct 2013 04:07:39 PM EDT] The following is a list of broken links that were found by the web_spider plugin: [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced from: https://www.MyDomain.com/ ] [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced from: https://www.MyDomain.com/qlntlogin.form?token=Unknown ] [Mon 07 Oct 2013 04:07:39 PM EDT] Found 3 URLs and 3 different injections points. [Mon 07 Oct 2013 04:07:39 PM EDT] The URL list is: [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/icons/favicon.ico [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/qlntlogin.form [Mon 07 Oct 2013 04:07:39 PM EDT] The list of fuzzable requests is: [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ | Method: GET [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/icons/favicon.ico | Method: GET [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/qlntlogin.form | Method: POST | Parameters: (username="", password="", login-form-type="pwd") [Mon 07 Oct 2013 04:08:03 PM EDT] An unidentified web application error (HTTP response code 500) was found at: "https://www.MyDomain.com/";. Enable all plugins and try again, if the vulnerability still is not identified, please verify manually and report it to the w3af developers. This vulnerability was found in the request with id 62. [Mon 07 Oct 2013 04:08:03 PM EDT] Scan finished in 34 seconds. Login from Burp: POST /qlntlogin.form?token=Unknown HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://www.MyDomain.com/AHCT/DisplayUserLogin.action Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 1.0.3705; .NET4.0C; .NET4.0E; InfoPath.2) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: www.MyDomain.com Content-Length: 58 Connection: Keep-Alive Cache-Control: no-cache Cookie: akaau=2993344999~id=12345567890abcdeffecba0987654321; PD-H-SESSION-ID=0_zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=; _ga=GA1.2.345678912.1234512345 username=USER1&password=Password1&login-form-type=pwd ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
