Aaron,
Thanks for re-sending to the mailing list :) It really helps the community
On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote:
> Hey Andres,
>
> I haven't setup a CA before, but google showed me the following tutorial:
>
> https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/
>
> I installed openssl and it's working properly on my Mac, however, before I
> go too far down this road, I wanted to get a peer review to make sure I'm
> on
> the right track.
Good call, I love peer review, hate spending time when I'm unsure.
I believe you're on the right track: generating a CA with openssl
and then create a new SSL certificate for the proxy to use.
> If so, I'll need to have the caconfig.cnf file
> information
> (see the website) for w3af... if I'm totally off track here, help me get
> back on track :D
Re: the caconfig.cnf , I would say that you can use the defaults.
Please use the "proxy.fake.w3af.org" domain for the cert to generate.
Something that would be nice to have is a README.rst file in the
directory where this info will live, explaining how to generate new
SSL certs, if they need, etc.
> I'm logged into w3af on freenode as tracer2000... :D
Ah, sorry, I've been offline these days (off-site)
> Thanks for the Contributing 101 link :D I'm an avid github user so it
> made
> perfect sense to me :D
>
> Aaron
>
>
>> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho <andres.rian...@gmail.com>
>> wrote:
>>>
>>> Aaron,
>>>
>>> Thanks for the interest mate :) I believe that the best thing to do
>>> is:
>>>
>>> * Create a new CA using openssl, add it to the repository
>>> * Use that CA to create a new certificate that will be used
>>> with spiderman
>>> * Write a document here [0] about how to configure your
>>> browser to use spiderman with the new CA/cert
>>>
>>> Once that's done, we'll be able to worry about the migration to
>>> libmitmproxy
>>>
>>> You can send me the code as pull-requests, a guide on how to do it is
>>> here:
>>> https://github.com/andresriancho/w3af/wiki/Contributing-101
>>>
>>> Let me know if you find issues in the document, potential
>>> improvements, etc. If you get stuck contact me on freenode IRC
>>> (__apr__ is my nickname on #w3af)
>>>
>>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx
>>> [1] https://github.com/andresriancho/w3af/issues/1269
>>>
>>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> wrote:
>>> > Bring it on Andres! I'll be happy to help out with this! Where do I
>>> > start?
>>> >
>>> >
>>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho
>>> > <andres.rian...@gmail.com>
>>> > wrote:
>>> >>
>>> >> Aaron,
>>> >>
>>> >> Well, that's actually a very good question! I haven't used the
>>> >> spiderman proxy for years, and when I tried now (after reading your
>>> >> email) I realized that there is no CA being distributed with w3af. The
>>> >> certificate the w3af is using is at [0], but that's kind of useless to
>>> >> solve your problem.
>>> >>
>>> >> A while ago, and without actually hitting this bug, I was on the
>>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so this
>>> >> will have low priority on my TODO list (see that I'm working on 1.6.1,
>>> >> a bug fix release, and [1] is in the 1.8 release).
>>> >>
>>> >> If you're interested in working on this issue, I would gladly
>>> >> help/guide you though each step.
>>> >>
>>> >> [0]
>>> >>
>>> >>
>>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
>>> >> [1]
>>> >>
>>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070
>>> >>
>>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com> wrote:
>>> >> > Hi! Is there a tutorial somewhere I can follow on how to setup the
>>> >> > SSL
>>> >> > Certificate Authority (CA) for the spiderman plugin? When I attempt
>>> >> > to
>>> >> > manually browse my site via the spiderman proxy, I'm presented with
>>> >> > the
>>> >> > "This connection is untrusted" dialog in Firefox and I'm not
>>> >> > permitted
>>> >> > to
>>> >> > the SSL pages. For Metasploit, I used a certificate that it
>>> >> > provided
>>> >> > for me
>>> >> > and that worked beautifully for their framework. Just curious if
>>> >> > there's a
>>> >> > certificate I can install for w3af located somewhere that I can
>>> >> > install
>>> >> > for
>>> >> > spiderman or if I can get instructions on how to approach this
>>> >> > problem
>>> >> > with
>>> >> > w3af.
>>> >> >
>>> >> > Thanks!
>>> >> >
>>> >> > --
>>> >> > Aaron
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > ------------------------------------------------------------------------------
>>> >> > Start Your Social Network Today - Download eXo Platform
>>> >> > Build your Enterprise Intranet with eXo Platform Software
>>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>>> >> > Get Started Now And Turn Your Intranet Into A Collaboration Platform
>>> >> > http://p.sf.net/sfu/ExoPlatform
>>> >> > _______________________________________________
>>> >> > W3af-users mailing list
>>> >> > W3af-users@lists.sourceforge.net
>>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Andrés Riancho
>>> >> Project Leader at w3af - http://w3af.org/
>>> >> Web Application Attack and Audit Framework
>>> >> Twitter: @w3af
>>> >> GPG: 0x93C344F3
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Aaron
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>>
>> --
>> Aaron
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
>
> --
> Aaron
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
