Aaron,

On Wed, Apr 30, 2014 at 5:06 PM, Aaron Tracy <atr...@gmail.com> wrote:
> OK, I'll work on generating a certificate.  Quick concept question. I'm a
> big JMeter user, and their latest build generates a local certificate on the
> fly that is good for 7 days (set in a configuration file).  The program
> creates a certificate everytime you hit start, but you really don't need to
> add the certificate until your current one expires in 7 days.
>
> Now with that as a background, in w3af, I'm generating one certificate.
> Will this certificate work for everyone that wants to use it, or will we
> need to update w3af so it generates a new certificate on the fly like in
> JMeter, or is generating one certificate version 1.0 of this process and the
> dynamic certificate generation like version 2.0?
>
> (Here's the documentation section I'm referring to in JMeter in case your
> interested:
>
> https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder

    Well, for now I believe that it is a good idea to just generate
one CA, one certificate and simply use that for all w3af traffic.

>
>
> On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>>
>> Aaron,
>>
>>     Thanks for re-sending to the mailing list :) It really helps the
>> community
>>
>> On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote:
>> >  Hey Andres,
>> >
>> >    I haven't setup a CA before, but google showed me the following
>> > tutorial:
>> >
>> >
>> > https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/
>> >
>> >   I installed openssl and it's working properly on my Mac, however,
>> > before I
>> >   go too far down this road, I wanted to get a peer review to make sure
>> > I'm
>> > on
>> >   the right track.
>>
>>     Good call, I love peer review, hate spending time when I'm unsure.
>>
>>     I believe you're on the right track: generating a CA with openssl
>> and then create a new SSL certificate for the proxy to use.
>>
>> >  If so, I'll need to have the caconfig.cnf file
>> > information
>> >   (see the website) for w3af... if I'm totally off track here, help me
>> > get
>> >   back on track :D
>>
>>     Re: the caconfig.cnf , I would say that you can use the defaults.
>>
>>     Please use the "proxy.fake.w3af.org" domain for the cert to generate.
>>
>>     Something that would be nice to have is a README.rst file in the
>> directory where this info will live, explaining how to generate new
>> SSL certs, if they need, etc.
>>
>> >    I'm logged into w3af on freenode as tracer2000... :D
>>
>>     Ah, sorry, I've been offline these days (off-site)
>>
>> >    Thanks for the Contributing 101 link :D I'm an avid github user so it
>> > made
>> >   perfect sense to me :D
>> >
>> > Aaron
>> >
>> >
>> >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho
>> >> <andres.rian...@gmail.com>
>> >> wrote:
>> >>>
>> >>> Aaron,
>> >>>
>> >>>     Thanks for the interest mate :) I believe that the best thing to
>> >>> do
>> >>> is:
>> >>>
>> >>>         * Create a new CA using openssl, add it to the repository
>> >>>         * Use that CA to create a new certificate that will be used
>> >>> with spiderman
>> >>>         * Write a document here [0] about how to configure your
>> >>> browser to use spiderman with the new CA/cert
>> >>>
>> >>>     Once that's done, we'll be able to worry about the migration to
>> >>> libmitmproxy
>> >>>
>> >>>     You can send me the code as pull-requests, a guide on how to do it
>> >>> is
>> >>> here:
>> >>>         https://github.com/andresriancho/w3af/wiki/Contributing-101
>> >>>
>> >>>     Let me know if you find issues in the document, potential
>> >>> improvements, etc. If you get stuck contact me on freenode IRC
>> >>> (__apr__ is my nickname on #w3af)
>> >>>
>> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx
>> >>> [1] https://github.com/andresriancho/w3af/issues/1269
>> >>>
>> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> wrote:
>> >>> > Bring it on Andres!  I'll be happy to help out with this!  Where do
>> >>> > I
>> >>> > start?
>> >>> >
>> >>> >
>> >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho
>> >>> > <andres.rian...@gmail.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> Aaron,
>> >>> >>
>> >>> >>     Well, that's actually a very good question! I haven't used the
>> >>> >> spiderman proxy for years, and when I tried now (after reading your
>> >>> >> email) I realized that there is no CA being distributed with w3af.
>> >>> >> The
>> >>> >> certificate the w3af is using is at [0], but that's kind of useless
>> >>> >> to
>> >>> >> solve your problem.
>> >>> >>
>> >>> >>     A while ago, and without actually hitting this bug, I was on
>> >>> >> the
>> >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so
>> >>> >> this
>> >>> >> will have low priority on my TODO list (see that I'm working on
>> >>> >> 1.6.1,
>> >>> >> a bug fix release, and [1] is in the 1.8 release).
>> >>> >>
>> >>> >>     If you're interested in working on this issue, I would gladly
>> >>> >> help/guide you though each step.
>> >>> >>
>> >>> >> [0]
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
>> >>> >> [1]
>> >>> >>
>> >>> >>
>> >>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070
>> >>> >>
>> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com>
>> >>> >> wrote:
>> >>> >> > Hi!  Is there a tutorial somewhere I can follow on how to setup
>> >>> >> > the
>> >>> >> > SSL
>> >>> >> > Certificate Authority (CA) for the spiderman plugin?  When I
>> >>> >> > attempt
>> >>> >> > to
>> >>> >> > manually browse my site via the spiderman proxy, I'm presented
>> >>> >> > with
>> >>> >> > the
>> >>> >> > "This connection is untrusted" dialog in Firefox and I'm not
>> >>> >> > permitted
>> >>> >> > to
>> >>> >> > the SSL pages.  For Metasploit, I used a certificate that it
>> >>> >> > provided
>> >>> >> > for me
>> >>> >> > and that worked beautifully for their framework.  Just curious if
>> >>> >> > there's a
>> >>> >> > certificate I can install for w3af located somewhere that I can
>> >>> >> > install
>> >>> >> > for
>> >>> >> > spiderman or if I can get instructions on how to approach this
>> >>> >> > problem
>> >>> >> > with
>> >>> >> > w3af.
>> >>> >> >
>> >>> >> > Thanks!
>> >>> >> >
>> >>> >> > --
>> >>> >> > Aaron
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> > ------------------------------------------------------------------------------
>> >>> >> > Start Your Social Network Today - Download eXo Platform
>> >>> >> > Build your Enterprise Intranet with eXo Platform Software
>> >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>> >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration
>> >>> >> > Platform
>> >>> >> > http://p.sf.net/sfu/ExoPlatform
>> >>> >> > _______________________________________________
>> >>> >> > W3af-users mailing list
>> >>> >> > W3af-users@lists.sourceforge.net
>> >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >>> >> >
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Andrés Riancho
>> >>> >> Project Leader at w3af - http://w3af.org/
>> >>> >> Web Application Attack and Audit Framework
>> >>> >> Twitter: @w3af
>> >>> >> GPG: 0x93C344F3
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Aaron
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Andrés Riancho
>> >>> Project Leader at w3af - http://w3af.org/
>> >>> Web Application Attack and Audit Framework
>> >>> Twitter: @w3af
>> >>> GPG: 0x93C344F3
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Aaron
>> >
>> >
>> >
>> > --
>> > Andrés Riancho
>> > Project Leader at w3af - http://w3af.org/
>> > Web Application Attack and Audit Framework
>> > Twitter: @w3af
>> > GPG: 0x93C344F3
>> >
>> >
>> >
>> > --
>> > Aaron
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>> > unparalleled scalability from the best Selenium testing platform
>> > available.
>> > Simple to use. Nothing to install. Get started now for free."
>> > http://p.sf.net/sfu/SauceLabs
>> > _______________________________________________
>> > W3af-users mailing list
>> > W3af-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>
>
> --
> Aaron



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to