Aaron, Thanks for re-sending to the mailing list :) It really helps the community
On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote: > Hey Andres, > > I haven't setup a CA before, but google showed me the following tutorial: > > https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/ > > I installed openssl and it's working properly on my Mac, however, before I > go too far down this road, I wanted to get a peer review to make sure I'm > on > the right track. Good call, I love peer review, hate spending time when I'm unsure. I believe you're on the right track: generating a CA with openssl and then create a new SSL certificate for the proxy to use. > If so, I'll need to have the caconfig.cnf file > information > (see the website) for w3af... if I'm totally off track here, help me get > back on track :D Re: the caconfig.cnf , I would say that you can use the defaults. Please use the "proxy.fake.w3af.org" domain for the cert to generate. Something that would be nice to have is a README.rst file in the directory where this info will live, explaining how to generate new SSL certs, if they need, etc. > I'm logged into w3af on freenode as tracer2000... :D Ah, sorry, I've been offline these days (off-site) > Thanks for the Contributing 101 link :D I'm an avid github user so it > made > perfect sense to me :D > > Aaron > > >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho <andres.rian...@gmail.com> >> wrote: >>> >>> Aaron, >>> >>> Thanks for the interest mate :) I believe that the best thing to do >>> is: >>> >>> * Create a new CA using openssl, add it to the repository >>> * Use that CA to create a new certificate that will be used >>> with spiderman >>> * Write a document here [0] about how to configure your >>> browser to use spiderman with the new CA/cert >>> >>> Once that's done, we'll be able to worry about the migration to >>> libmitmproxy >>> >>> You can send me the code as pull-requests, a guide on how to do it is >>> here: >>> https://github.com/andresriancho/w3af/wiki/Contributing-101 >>> >>> Let me know if you find issues in the document, potential >>> improvements, etc. If you get stuck contact me on freenode IRC >>> (__apr__ is my nickname on #w3af) >>> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx >>> [1] https://github.com/andresriancho/w3af/issues/1269 >>> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> wrote: >>> > Bring it on Andres! I'll be happy to help out with this! Where do I >>> > start? >>> > >>> > >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho >>> > <andres.rian...@gmail.com> >>> > wrote: >>> >> >>> >> Aaron, >>> >> >>> >> Well, that's actually a very good question! I haven't used the >>> >> spiderman proxy for years, and when I tried now (after reading your >>> >> email) I realized that there is no CA being distributed with w3af. The >>> >> certificate the w3af is using is at [0], but that's kind of useless to >>> >> solve your problem. >>> >> >>> >> A while ago, and without actually hitting this bug, I was on the >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so this >>> >> will have low priority on my TODO list (see that I'm working on 1.6.1, >>> >> a bug fix release, and [1] is in the 1.8 release). >>> >> >>> >> If you're interested in working on this issue, I would gladly >>> >> help/guide you though each step. >>> >> >>> >> [0] >>> >> >>> >> >>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt >>> >> [1] >>> >> >>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070 >>> >> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com> wrote: >>> >> > Hi! Is there a tutorial somewhere I can follow on how to setup the >>> >> > SSL >>> >> > Certificate Authority (CA) for the spiderman plugin? When I attempt >>> >> > to >>> >> > manually browse my site via the spiderman proxy, I'm presented with >>> >> > the >>> >> > "This connection is untrusted" dialog in Firefox and I'm not >>> >> > permitted >>> >> > to >>> >> > the SSL pages. For Metasploit, I used a certificate that it >>> >> > provided >>> >> > for me >>> >> > and that worked beautifully for their framework. Just curious if >>> >> > there's a >>> >> > certificate I can install for w3af located somewhere that I can >>> >> > install >>> >> > for >>> >> > spiderman or if I can get instructions on how to approach this >>> >> > problem >>> >> > with >>> >> > w3af. >>> >> > >>> >> > Thanks! >>> >> > >>> >> > -- >>> >> > Aaron >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > ------------------------------------------------------------------------------ >>> >> > Start Your Social Network Today - Download eXo Platform >>> >> > Build your Enterprise Intranet with eXo Platform Software >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration Platform >>> >> > http://p.sf.net/sfu/ExoPlatform >>> >> > _______________________________________________ >>> >> > W3af-users mailing list >>> >> > W3af-users@lists.sourceforge.net >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> Andrés Riancho >>> >> Project Leader at w3af - http://w3af.org/ >>> >> Web Application Attack and Audit Framework >>> >> Twitter: @w3af >>> >> GPG: 0x93C344F3 >>> > >>> > >>> > >>> > >>> > -- >>> > Aaron >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> >> >> >> -- >> Aaron > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > > -- > Aaron > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users