Aaron, On Wed, Apr 30, 2014 at 5:06 PM, Aaron Tracy <atr...@gmail.com> wrote: > OK, I'll work on generating a certificate. Quick concept question. I'm a > big JMeter user, and their latest build generates a local certificate on the > fly that is good for 7 days (set in a configuration file). The program > creates a certificate everytime you hit start, but you really don't need to > add the certificate until your current one expires in 7 days. > > Now with that as a background, in w3af, I'm generating one certificate. > Will this certificate work for everyone that wants to use it, or will we > need to update w3af so it generates a new certificate on the fly like in > JMeter, or is generating one certificate version 1.0 of this process and the > dynamic certificate generation like version 2.0? > > (Here's the documentation section I'm referring to in JMeter in case your > interested: > > https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder
Well, for now I believe that it is a good idea to just generate one CA, one certificate and simply use that for all w3af traffic. > > > On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho <andres.rian...@gmail.com> > wrote: >> >> Aaron, >> >> Thanks for re-sending to the mailing list :) It really helps the >> community >> >> On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote: >> > Hey Andres, >> > >> > I haven't setup a CA before, but google showed me the following >> > tutorial: >> > >> > >> > https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/ >> > >> > I installed openssl and it's working properly on my Mac, however, >> > before I >> > go too far down this road, I wanted to get a peer review to make sure >> > I'm >> > on >> > the right track. >> >> Good call, I love peer review, hate spending time when I'm unsure. >> >> I believe you're on the right track: generating a CA with openssl >> and then create a new SSL certificate for the proxy to use. >> >> > If so, I'll need to have the caconfig.cnf file >> > information >> > (see the website) for w3af... if I'm totally off track here, help me >> > get >> > back on track :D >> >> Re: the caconfig.cnf , I would say that you can use the defaults. >> >> Please use the "proxy.fake.w3af.org" domain for the cert to generate. >> >> Something that would be nice to have is a README.rst file in the >> directory where this info will live, explaining how to generate new >> SSL certs, if they need, etc. >> >> > I'm logged into w3af on freenode as tracer2000... :D >> >> Ah, sorry, I've been offline these days (off-site) >> >> > Thanks for the Contributing 101 link :D I'm an avid github user so it >> > made >> > perfect sense to me :D >> > >> > Aaron >> > >> > >> >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho >> >> <andres.rian...@gmail.com> >> >> wrote: >> >>> >> >>> Aaron, >> >>> >> >>> Thanks for the interest mate :) I believe that the best thing to >> >>> do >> >>> is: >> >>> >> >>> * Create a new CA using openssl, add it to the repository >> >>> * Use that CA to create a new certificate that will be used >> >>> with spiderman >> >>> * Write a document here [0] about how to configure your >> >>> browser to use spiderman with the new CA/cert >> >>> >> >>> Once that's done, we'll be able to worry about the migration to >> >>> libmitmproxy >> >>> >> >>> You can send me the code as pull-requests, a guide on how to do it >> >>> is >> >>> here: >> >>> https://github.com/andresriancho/w3af/wiki/Contributing-101 >> >>> >> >>> Let me know if you find issues in the document, potential >> >>> improvements, etc. If you get stuck contact me on freenode IRC >> >>> (__apr__ is my nickname on #w3af) >> >>> >> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx >> >>> [1] https://github.com/andresriancho/w3af/issues/1269 >> >>> >> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> wrote: >> >>> > Bring it on Andres! I'll be happy to help out with this! Where do >> >>> > I >> >>> > start? >> >>> > >> >>> > >> >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho >> >>> > <andres.rian...@gmail.com> >> >>> > wrote: >> >>> >> >> >>> >> Aaron, >> >>> >> >> >>> >> Well, that's actually a very good question! I haven't used the >> >>> >> spiderman proxy for years, and when I tried now (after reading your >> >>> >> email) I realized that there is no CA being distributed with w3af. >> >>> >> The >> >>> >> certificate the w3af is using is at [0], but that's kind of useless >> >>> >> to >> >>> >> solve your problem. >> >>> >> >> >>> >> A while ago, and without actually hitting this bug, I was on >> >>> >> the >> >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so >> >>> >> this >> >>> >> will have low priority on my TODO list (see that I'm working on >> >>> >> 1.6.1, >> >>> >> a bug fix release, and [1] is in the 1.8 release). >> >>> >> >> >>> >> If you're interested in working on this issue, I would gladly >> >>> >> help/guide you though each step. >> >>> >> >> >>> >> [0] >> >>> >> >> >>> >> >> >>> >> >> >>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt >> >>> >> [1] >> >>> >> >> >>> >> >> >>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070 >> >>> >> >> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com> >> >>> >> wrote: >> >>> >> > Hi! Is there a tutorial somewhere I can follow on how to setup >> >>> >> > the >> >>> >> > SSL >> >>> >> > Certificate Authority (CA) for the spiderman plugin? When I >> >>> >> > attempt >> >>> >> > to >> >>> >> > manually browse my site via the spiderman proxy, I'm presented >> >>> >> > with >> >>> >> > the >> >>> >> > "This connection is untrusted" dialog in Firefox and I'm not >> >>> >> > permitted >> >>> >> > to >> >>> >> > the SSL pages. For Metasploit, I used a certificate that it >> >>> >> > provided >> >>> >> > for me >> >>> >> > and that worked beautifully for their framework. Just curious if >> >>> >> > there's a >> >>> >> > certificate I can install for w3af located somewhere that I can >> >>> >> > install >> >>> >> > for >> >>> >> > spiderman or if I can get instructions on how to approach this >> >>> >> > problem >> >>> >> > with >> >>> >> > w3af. >> >>> >> > >> >>> >> > Thanks! >> >>> >> > >> >>> >> > -- >> >>> >> > Aaron >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > ------------------------------------------------------------------------------ >> >>> >> > Start Your Social Network Today - Download eXo Platform >> >>> >> > Build your Enterprise Intranet with eXo Platform Software >> >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready >> >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration >> >>> >> > Platform >> >>> >> > http://p.sf.net/sfu/ExoPlatform >> >>> >> > _______________________________________________ >> >>> >> > W3af-users mailing list >> >>> >> > W3af-users@lists.sourceforge.net >> >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >>> >> > >> >>> >> >> >>> >> >> >>> >> >> >>> >> -- >> >>> >> Andrés Riancho >> >>> >> Project Leader at w3af - http://w3af.org/ >> >>> >> Web Application Attack and Audit Framework >> >>> >> Twitter: @w3af >> >>> >> GPG: 0x93C344F3 >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > Aaron >> >>> >> >>> >> >>> >> >>> -- >> >>> Andrés Riancho >> >>> Project Leader at w3af - http://w3af.org/ >> >>> Web Application Attack and Audit Framework >> >>> Twitter: @w3af >> >>> GPG: 0x93C344F3 >> >> >> >> >> >> >> >> >> >> -- >> >> Aaron >> > >> > >> > >> > -- >> > Andrés Riancho >> > Project Leader at w3af - http://w3af.org/ >> > Web Application Attack and Audit Framework >> > Twitter: @w3af >> > GPG: 0x93C344F3 >> > >> > >> > >> > -- >> > Aaron >> > >> > >> > ------------------------------------------------------------------------------ >> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> > Instantly run your Selenium tests across 300+ browser/OS combos. Get >> > unparalleled scalability from the best Selenium testing platform >> > available. >> > Simple to use. Nothing to install. Get started now for free." >> > http://p.sf.net/sfu/SauceLabs >> > _______________________________________________ >> > W3af-users mailing list >> > W3af-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Aaron -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users