Which auth plugin are you using? How did you configure it? On Mon, Oct 7, 2013 at 5:46 PM, Marc <m...@marcd.org> wrote: > Hi, > > I seem to have run into an app for which I cannot figure out what > parameters to use in the auth configuration. Below are the log from w3af > and the POST of the login (both sanitized for my protection). Any hints > as to what to use, I think, for the parameters (which don't seem to be > passed as w3af expects)? Or how to configure w3af for this type of app > (the authentication is from IBM SIM/SAM and used webseal). > > Thank you!! Log and POST: > > LOG: > > [Mon 07 Oct 2013 04:07:35 PM EDT] Cross Site Request Forgery has been > found at: https://www.MyDomain.com/qlntlogin.form. This vulnerability was > found in the request with id 82. > [Mon 07 Oct 2013 04:07:39 PM EDT] The following is a list of broken links > that were found by the web_spider plugin: > [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced > from: https://www.MyDomain.com/ ] > [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced > from: https://www.MyDomain.com/qlntlogin.form?token=Unknown ] > [Mon 07 Oct 2013 04:07:39 PM EDT] Found 3 URLs and 3 different injections > points. > [Mon 07 Oct 2013 04:07:39 PM EDT] The URL list is: > [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ > [Mon 07 Oct 2013 04:07:39 PM EDT] - > https://www.MyDomain.com/icons/favicon.ico > [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/qlntlogin.form > [Mon 07 Oct 2013 04:07:39 PM EDT] The list of fuzzable requests is: > [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ | Method: GET > [Mon 07 Oct 2013 04:07:39 PM EDT] - > https://www.MyDomain.com/icons/favicon.ico | Method: GET > [Mon 07 Oct 2013 04:07:39 PM EDT] - > https://www.MyDomain.com/qlntlogin.form | Method: POST | Parameters: > (username="", password="", login-form-type="pwd") > [Mon 07 Oct 2013 04:08:03 PM EDT] An unidentified web application error > (HTTP response code 500) was found at: "https://www.MyDomain.com/";. Enable > all plugins and try again, if the vulnerability still is not identified, > please verify manually and report it to the w3af developers. This > vulnerability was found in the request with id 62. > [Mon 07 Oct 2013 04:08:03 PM EDT] Scan finished in 34 seconds. > > > > Login from Burp: > > > POST /qlntlogin.form?token=Unknown HTTP/1.1 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/x-ms-application, > application/x-ms-xbap, application/vnd.ms-xpsdocument, > application/xaml+xml, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Referer: https://www.MyDomain.com/AHCT/DisplayUserLogin.action > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; > Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR > 3.5.30729; MS-RTC LM 8; .NET CLR 1.0.3705; .NET4.0C; .NET4.0E; InfoPath.2) > Content-Type: application/x-www-form-urlencoded > Accept-Encoding: gzip, deflate > Host: www.MyDomain.com > Content-Length: 58 > Connection: Keep-Alive > Cache-Control: no-cache > Cookie: akaau=2993344999~id=12345567890abcdeffecba0987654321; > PD-H-SESSION-ID=0_zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=; > _ga=GA1.2.345678912.1234512345 > > username=USER1&password=Password1&login-form-type=pwd > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users
-- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
