Aaron,

On Wed, Apr 30, 2014 at 6:43 PM, Aaron Tracy <atr...@gmail.com> wrote:
> OK My first attempt at the security key has been created (I'll try to attach
> it here, not sure if the list will allow attachments).  I had to create a
> pass key... I don't feel comfortable just posting the passcode here... so I
> need some way to let you know the pass code.

I believe it is safe to include it here, it will be a fake cert and CA anyways.

> While creating the key, I was not prompted to enter a domain for the
> "proxy.fake.w3af.org" not sure why the program doesn't require a domain...
> it doesn't mention anything about it in the tutorial I followed...

Well, once you create the CA, you need to use it to generate a SSL
certificate. Maybe you only created a CA?

> I've also included my updated config file.  It wants to know the following
> required fields country, city, state, contact e-mail address.  I wasn't sure
> what to put in there so I just fudged it and entered the information
> manually.
>
> I tested the certificate and it totally failed... anyone throw me a bone on
> what to try next?
>
>   In addition, I made a feeble attempt at creating documentation for
> installing this certificate (mostly a cut/paste hack job from the Jmeter
> site) which will need to be updated after we can successfully use this
> certificate.  It's sitting there as a PR to the w3af project.

Reviewed the PR :)

>
>
>
> On Wed, Apr 30, 2014 at 2:06 PM, Aaron Tracy <atr...@gmail.com> wrote:
>>
>> OK, I'll work on generating a certificate.  Quick concept question. I'm a
>> big JMeter user, and their latest build generates a local certificate on the
>> fly that is good for 7 days (set in a configuration file).  The program
>> creates a certificate everytime you hit start, but you really don't need to
>> add the certificate until your current one expires in 7 days.
>>
>> Now with that as a background, in w3af, I'm generating one certificate.
>> Will this certificate work for everyone that wants to use it, or will we
>> need to update w3af so it generates a new certificate on the fly like in
>> JMeter, or is generating one certificate version 1.0 of this process and the
>> dynamic certificate generation like version 2.0?
>>
>> (Here's the documentation section I'm referring to in JMeter in case your
>> interested:
>>
>>
>> https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder
>>
>>
>>
>> On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho
>> <andres.rian...@gmail.com> wrote:
>>>
>>> Aaron,
>>>
>>>     Thanks for re-sending to the mailing list :) It really helps the
>>> community
>>>
>>> On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote:
>>> >  Hey Andres,
>>> >
>>> >    I haven't setup a CA before, but google showed me the following
>>> > tutorial:
>>> >
>>> >
>>> > https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/
>>> >
>>> >   I installed openssl and it's working properly on my Mac, however,
>>> > before I
>>> >   go too far down this road, I wanted to get a peer review to make sure
>>> > I'm
>>> > on
>>> >   the right track.
>>>
>>>     Good call, I love peer review, hate spending time when I'm unsure.
>>>
>>>     I believe you're on the right track: generating a CA with openssl
>>> and then create a new SSL certificate for the proxy to use.
>>>
>>> >  If so, I'll need to have the caconfig.cnf file
>>> > information
>>> >   (see the website) for w3af... if I'm totally off track here, help me
>>> > get
>>> >   back on track :D
>>>
>>>     Re: the caconfig.cnf , I would say that you can use the defaults.
>>>
>>>     Please use the "proxy.fake.w3af.org" domain for the cert to generate.
>>>
>>>     Something that would be nice to have is a README.rst file in the
>>> directory where this info will live, explaining how to generate new
>>> SSL certs, if they need, etc.
>>>
>>> >    I'm logged into w3af on freenode as tracer2000... :D
>>>
>>>     Ah, sorry, I've been offline these days (off-site)
>>>
>>> >    Thanks for the Contributing 101 link :D I'm an avid github user so
>>> > it
>>> > made
>>> >   perfect sense to me :D
>>> >
>>> > Aaron
>>> >
>>> >
>>> >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho
>>> >> <andres.rian...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> Aaron,
>>> >>>
>>> >>>     Thanks for the interest mate :) I believe that the best thing to
>>> >>> do
>>> >>> is:
>>> >>>
>>> >>>         * Create a new CA using openssl, add it to the repository
>>> >>>         * Use that CA to create a new certificate that will be used
>>> >>> with spiderman
>>> >>>         * Write a document here [0] about how to configure your
>>> >>> browser to use spiderman with the new CA/cert
>>> >>>
>>> >>>     Once that's done, we'll be able to worry about the migration to
>>> >>> libmitmproxy
>>> >>>
>>> >>>     You can send me the code as pull-requests, a guide on how to do
>>> >>> it is
>>> >>> here:
>>> >>>         https://github.com/andresriancho/w3af/wiki/Contributing-101
>>> >>>
>>> >>>     Let me know if you find issues in the document, potential
>>> >>> improvements, etc. If you get stuck contact me on freenode IRC
>>> >>> (__apr__ is my nickname on #w3af)
>>> >>>
>>> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx
>>> >>> [1] https://github.com/andresriancho/w3af/issues/1269
>>> >>>
>>> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com>
>>> >>> wrote:
>>> >>> > Bring it on Andres!  I'll be happy to help out with this!  Where do
>>> >>> > I
>>> >>> > start?
>>> >>> >
>>> >>> >
>>> >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho
>>> >>> > <andres.rian...@gmail.com>
>>> >>> > wrote:
>>> >>> >>
>>> >>> >> Aaron,
>>> >>> >>
>>> >>> >>     Well, that's actually a very good question! I haven't used the
>>> >>> >> spiderman proxy for years, and when I tried now (after reading
>>> >>> >> your
>>> >>> >> email) I realized that there is no CA being distributed with w3af.
>>> >>> >> The
>>> >>> >> certificate the w3af is using is at [0], but that's kind of
>>> >>> >> useless to
>>> >>> >> solve your problem.
>>> >>> >>
>>> >>> >>     A while ago, and without actually hitting this bug, I was on
>>> >>> >> the
>>> >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so
>>> >>> >> this
>>> >>> >> will have low priority on my TODO list (see that I'm working on
>>> >>> >> 1.6.1,
>>> >>> >> a bug fix release, and [1] is in the 1.8 release).
>>> >>> >>
>>> >>> >>     If you're interested in working on this issue, I would gladly
>>> >>> >> help/guide you though each step.
>>> >>> >>
>>> >>> >> [0]
>>> >>> >>
>>> >>> >>
>>> >>> >>
>>> >>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt
>>> >>> >> [1]
>>> >>> >>
>>> >>> >>
>>> >>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070
>>> >>> >>
>>> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com>
>>> >>> >> wrote:
>>> >>> >> > Hi!  Is there a tutorial somewhere I can follow on how to setup
>>> >>> >> > the
>>> >>> >> > SSL
>>> >>> >> > Certificate Authority (CA) for the spiderman plugin?  When I
>>> >>> >> > attempt
>>> >>> >> > to
>>> >>> >> > manually browse my site via the spiderman proxy, I'm presented
>>> >>> >> > with
>>> >>> >> > the
>>> >>> >> > "This connection is untrusted" dialog in Firefox and I'm not
>>> >>> >> > permitted
>>> >>> >> > to
>>> >>> >> > the SSL pages.  For Metasploit, I used a certificate that it
>>> >>> >> > provided
>>> >>> >> > for me
>>> >>> >> > and that worked beautifully for their framework.  Just curious
>>> >>> >> > if
>>> >>> >> > there's a
>>> >>> >> > certificate I can install for w3af located somewhere that I can
>>> >>> >> > install
>>> >>> >> > for
>>> >>> >> > spiderman or if I can get instructions on how to approach this
>>> >>> >> > problem
>>> >>> >> > with
>>> >>> >> > w3af.
>>> >>> >> >
>>> >>> >> > Thanks!
>>> >>> >> >
>>> >>> >> > --
>>> >>> >> > Aaron
>>> >>> >> >
>>> >>> >> >
>>> >>> >> >
>>> >>> >> >
>>> >>> >> >
>>> >>> >> > ------------------------------------------------------------------------------
>>> >>> >> > Start Your Social Network Today - Download eXo Platform
>>> >>> >> > Build your Enterprise Intranet with eXo Platform Software
>>> >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud
>>> >>> >> > Ready
>>> >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration
>>> >>> >> > Platform
>>> >>> >> > http://p.sf.net/sfu/ExoPlatform
>>> >>> >> > _______________________________________________
>>> >>> >> > W3af-users mailing list
>>> >>> >> > W3af-users@lists.sourceforge.net
>>> >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>>> >>> >> >
>>> >>> >>
>>> >>> >>
>>> >>> >>
>>> >>> >> --
>>> >>> >> Andrés Riancho
>>> >>> >> Project Leader at w3af - http://w3af.org/
>>> >>> >> Web Application Attack and Audit Framework
>>> >>> >> Twitter: @w3af
>>> >>> >> GPG: 0x93C344F3
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > --
>>> >>> > Aaron
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Andrés Riancho
>>> >>> Project Leader at w3af - http://w3af.org/
>>> >>> Web Application Attack and Audit Framework
>>> >>> Twitter: @w3af
>>> >>> GPG: 0x93C344F3
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Aaron
>>> >
>>> >
>>> >
>>> > --
>>> > Andrés Riancho
>>> > Project Leader at w3af - http://w3af.org/
>>> > Web Application Attack and Audit Framework
>>> > Twitter: @w3af
>>> > GPG: 0x93C344F3
>>> >
>>> >
>>> >
>>> > --
>>> > Aaron
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> > Instantly run your Selenium tests across 300+ browser/OS combos.  Get
>>> > unparalleled scalability from the best Selenium testing platform
>>> > available.
>>> > Simple to use. Nothing to install. Get started now for free."
>>> > http://p.sf.net/sfu/SauceLabs
>>> > _______________________________________________
>>> > W3af-users mailing list
>>> > W3af-users@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>>> >
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>>
>> --
>> Aaron
>
>
>
>
> --
> Aaron



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to