Hi, Update: Authentication is working using the 'detailed login' as below. Seems to have been a web application issue. Thank you. Great tool - and written in my favorite language.
I tried both auth plugins. For the Basic plugin I used: Username User1 password password username_field username password_field password auth_url - https://www.MyDomain.com/qlntlogin.form check_url - https://www.MyDomain.com.com/AHCT/UserLogin.action check_string User1 (which appears at the top of the screen as a 'my account' menu heading when the user is logged in) For the Detailed login, all the above were the same, for the data format, I tried various things (including %u=%U&%p=%P&login-form-type=pwd). The method I left as POST. Thank you! Best Regards, Marc > Which auth plugin are you using? How did you configure it? > On Mon, Oct 7, 2013 at 5:46 PM, Marc <[email protected]> wrote: >> Hi, >> I seem to have run into an app for which I cannot figure out what parameters to use in the auth configuration. Below are the log from w3af >> and the POST of the login (both sanitized for my protection). Any hints >> as to what to use, I think, for the parameters (which don't seem to be passed as w3af expects)? Or how to configure w3af for this type of app (the authentication is from IBM SIM/SAM and used webseal). >> Thank you!! Log and POST: >> LOG: >> [Mon 07 Oct 2013 04:07:35 PM EDT] Cross Site Request Forgery has been found at: https://www.MyDomain.com/qlntlogin.form. This vulnerability was >> found in the request with id 82. >> [Mon 07 Oct 2013 04:07:39 PM EDT] The following is a list of broken links >> that were found by the web_spider plugin: >> [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced >> from: https://www.MyDomain.com/ ] >> [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ [ referenced >> from: https://www.MyDomain.com/qlntlogin.form?token=Unknown ] >> [Mon 07 Oct 2013 04:07:39 PM EDT] Found 3 URLs and 3 different >> injections >> points. >> [Mon 07 Oct 2013 04:07:39 PM EDT] The URL list is: >> [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ >> [Mon 07 Oct 2013 04:07:39 PM EDT] - >> https://www.MyDomain.com/icons/favicon.ico >> [Mon 07 Oct 2013 04:07:39 PM EDT] - >> https://www.MyDomain.com/qlntlogin.form >> [Mon 07 Oct 2013 04:07:39 PM EDT] The list of fuzzable requests is: [Mon 07 Oct 2013 04:07:39 PM EDT] - https://www.MyDomain.com/ | Method: GET >> [Mon 07 Oct 2013 04:07:39 PM EDT] - >> https://www.MyDomain.com/icons/favicon.ico | Method: GET >> [Mon 07 Oct 2013 04:07:39 PM EDT] - >> https://www.MyDomain.com/qlntlogin.form | Method: POST | Parameters: (username="", password="", login-form-type="pwd") >> [Mon 07 Oct 2013 04:08:03 PM EDT] An unidentified web application error (HTTP response code 500) was found at: "https://www.MyDomain.com/";. Enable >> all plugins and try again, if the vulnerability still is not identified, >> please verify manually and report it to the w3af developers. This vulnerability was found in the request with id 62. >> [Mon 07 Oct 2013 04:08:03 PM EDT] Scan finished in 34 seconds. >> Login from Burp: >> POST /qlntlogin.form?token=Unknown HTTP/1.1 >> Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, >> application/x-shockwave-flash, application/x-ms-application, >> application/x-ms-xbap, application/vnd.ms-xpsdocument, >> application/xaml+xml, application/vnd.ms-excel, >> application/vnd.ms-powerpoint, application/msword, */* >> Referer: https://www.MyDomain.com/AHCT/DisplayUserLogin.action >> Accept-Language: en-us >> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; >> Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 1.0.3705; .NET4.0C; .NET4.0E; >> InfoPath.2) >> Content-Type: application/x-www-form-urlencoded >> Accept-Encoding: gzip, deflate >> Host: www.MyDomain.com >> Content-Length: 58 >> Connection: Keep-Alive >> Cache-Control: no-cache >> Cookie: akaau=2993344999~id=12345567890abcdeffecba0987654321; >> PD-H-SESSION-ID=0_zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=; _ga=GA1.2.345678912.1234512345 >> username=USER1&password=Password1&login-form-type=pwd >> ------------------------------------------------------------------------------ October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
