OK, I'll work on generating a certificate.  Quick concept question. I'm a
big JMeter user, and their latest build generates a local certificate on
the fly that is good for 7 days (set in a configuration file).  The program
creates a certificate everytime you hit start, but you really don't need to
add the certificate until your current one expires in 7 days.

Now with that as a background, in w3af, I'm generating one certificate.
Will this certificate work for everyone that wants to use it, or will we
need to update w3af so it generates a new certificate on the fly like in
JMeter, or is generating one certificate version 1.0 of this process and
the dynamic certificate generation like version 2.0?

(Here's the documentation section I'm referring to in JMeter in case your
interested:

https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder



On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho
<andres.rian...@gmail.com>wrote:

> Aaron,
>
>     Thanks for re-sending to the mailing list :) It really helps the
> community
>
> On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote:
> >  Hey Andres,
> >
> >    I haven't setup a CA before, but google showed me the following
> tutorial:
> >
> >
> https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/
> >
> >   I installed openssl and it's working properly on my Mac, however,
> before I
> >   go too far down this road, I wanted to get a peer review to make sure
> I'm
> > on
> >   the right track.
>
>     Good call, I love peer review, hate spending time when I'm unsure.
>
>     I believe you're on the right track: generating a CA with openssl
> and then create a new SSL certificate for the proxy to use.
>
> >  If so, I'll need to have the caconfig.cnf file
> > information
> >   (see the website) for w3af... if I'm totally off track here, help me
> get
> >   back on track :D
>
>     Re: the caconfig.cnf , I would say that you can use the defaults.
>
>     Please use the "proxy.fake.w3af.org" domain for the cert to generate.
>
>     Something that would be nice to have is a README.rst file in the
> directory where this info will live, explaining how to generate new
> SSL certs, if they need, etc.
>
> >    I'm logged into w3af on freenode as tracer2000... :D
>
>     Ah, sorry, I've been offline these days (off-site)
>
> >    Thanks for the Contributing 101 link :D I'm an avid github user so it
> > made
> >   perfect sense to me :D
> >
> > Aaron
> >
> >
> >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho <
> andres.rian...@gmail.com>
> >> wrote:
> >>>
> >>> Aaron,
> >>>
> >>>     Thanks for the interest mate :) I believe that the best thing to do
> >>> is:
> >>>
> >>>         * Create a new CA using openssl, add it to the repository
> >>>         * Use that CA to create a new certificate that will be used
> >>> with spiderman
> >>>         * Write a document here [0] about how to configure your
> >>> browser to use spiderman with the new CA/cert
> >>>
> >>>     Once that's done, we'll be able to worry about the migration to
> >>> libmitmproxy
> >>>
> >>>     You can send me the code as pull-requests, a guide on how to do it
> is
> >>> here:
> >>>         https://github.com/andresriancho/w3af/wiki/Contributing-101
> >>>
> >>>     Let me know if you find issues in the document, potential
> >>> improvements, etc. If you get stuck contact me on freenode IRC
> >>> (__apr__ is my nickname on #w3af)
> >>>
> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx
> >>> [1] https://github.com/andresriancho/w3af/issues/1269
> >>>
> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> wrote:
> >>> > Bring it on Andres!  I'll be happy to help out with this!  Where do I
> >>> > start?
> >>> >
> >>> >
> >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho
> >>> > <andres.rian...@gmail.com>
> >>> > wrote:
> >>> >>
> >>> >> Aaron,
> >>> >>
> >>> >>     Well, that's actually a very good question! I haven't used the
> >>> >> spiderman proxy for years, and when I tried now (after reading your
> >>> >> email) I realized that there is no CA being distributed with w3af.
> The
> >>> >> certificate the w3af is using is at [0], but that's kind of useless
> to
> >>> >> solve your problem.
> >>> >>
> >>> >>     A while ago, and without actually hitting this bug, I was on the
> >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so
> this
> >>> >> will have low priority on my TODO list (see that I'm working on
> 1.6.1,
> >>> >> a bug fix release, and [1] is in the 1.8 release).
> >>> >>
> >>> >>     If you're interested in working on this issue, I would gladly
> >>> >> help/guide you though each step.
> >>> >>
> >>> >> [0]
> >>> >>
> >>> >>
> >>> >>
> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
> >>> >> [1]
> >>> >>
> >>> >>
> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070
> >>> >>
> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com>
> wrote:
> >>> >> > Hi!  Is there a tutorial somewhere I can follow on how to setup
> the
> >>> >> > SSL
> >>> >> > Certificate Authority (CA) for the spiderman plugin?  When I
> attempt
> >>> >> > to
> >>> >> > manually browse my site via the spiderman proxy, I'm presented
> with
> >>> >> > the
> >>> >> > "This connection is untrusted" dialog in Firefox and I'm not
> >>> >> > permitted
> >>> >> > to
> >>> >> > the SSL pages.  For Metasploit, I used a certificate that it
> >>> >> > provided
> >>> >> > for me
> >>> >> > and that worked beautifully for their framework.  Just curious if
> >>> >> > there's a
> >>> >> > certificate I can install for w3af located somewhere that I can
> >>> >> > install
> >>> >> > for
> >>> >> > spiderman or if I can get instructions on how to approach this
> >>> >> > problem
> >>> >> > with
> >>> >> > w3af.
> >>> >> >
> >>> >> > Thanks!
> >>> >> >
> >>> >> > --
> >>> >> > Aaron
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> >
> ------------------------------------------------------------------------------
> >>> >> > Start Your Social Network Today - Download eXo Platform
> >>> >> > Build your Enterprise Intranet with eXo Platform Software
> >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration
> Platform
> >>> >> > http://p.sf.net/sfu/ExoPlatform
> >>> >> > _______________________________________________
> >>> >> > W3af-users mailing list
> >>> >> > W3af-users@lists.sourceforge.net
> >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >>> >> >
> >>> >>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Andrés Riancho
> >>> >> Project Leader at w3af - http://w3af.org/
> >>> >> Web Application Attack and Audit Framework
> >>> >> Twitter: @w3af
> >>> >> GPG: 0x93C344F3
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Aaron
> >>>
> >>>
> >>>
> >>> --
> >>> Andrés Riancho
> >>> Project Leader at w3af - http://w3af.org/
> >>> Web Application Attack and Audit Framework
> >>> Twitter: @w3af
> >>> GPG: 0x93C344F3
> >>
> >>
> >>
> >>
> >> --
> >> Aaron
> >
> >
> >
> > --
> > Andrés Riancho
> > Project Leader at w3af - http://w3af.org/
> > Web Application Attack and Audit Framework
> > Twitter: @w3af
> > GPG: 0x93C344F3
> >
> >
> >
> > --
> > Aaron
> >
> >
> ------------------------------------------------------------------------------
> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> > unparalleled scalability from the best Selenium testing platform
> available.
> > Simple to use. Nothing to install. Get started now for free."
> > http://p.sf.net/sfu/SauceLabs
> > _______________________________________________
> > W3af-users mailing list
> > W3af-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>



-- 
Aaron
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to