Aaron, On Wed, Apr 30, 2014 at 6:43 PM, Aaron Tracy <atr...@gmail.com> wrote: > OK My first attempt at the security key has been created (I'll try to attach > it here, not sure if the list will allow attachments). I had to create a > pass key... I don't feel comfortable just posting the passcode here... so I > need some way to let you know the pass code.
I believe it is safe to include it here, it will be a fake cert and CA anyways. > While creating the key, I was not prompted to enter a domain for the > "proxy.fake.w3af.org" not sure why the program doesn't require a domain... > it doesn't mention anything about it in the tutorial I followed... Well, once you create the CA, you need to use it to generate a SSL certificate. Maybe you only created a CA? > I've also included my updated config file. It wants to know the following > required fields country, city, state, contact e-mail address. I wasn't sure > what to put in there so I just fudged it and entered the information > manually. > > I tested the certificate and it totally failed... anyone throw me a bone on > what to try next? > > In addition, I made a feeble attempt at creating documentation for > installing this certificate (mostly a cut/paste hack job from the Jmeter > site) which will need to be updated after we can successfully use this > certificate. It's sitting there as a PR to the w3af project. Reviewed the PR :) > > > > On Wed, Apr 30, 2014 at 2:06 PM, Aaron Tracy <atr...@gmail.com> wrote: >> >> OK, I'll work on generating a certificate. Quick concept question. I'm a >> big JMeter user, and their latest build generates a local certificate on the >> fly that is good for 7 days (set in a configuration file). The program >> creates a certificate everytime you hit start, but you really don't need to >> add the certificate until your current one expires in 7 days. >> >> Now with that as a background, in w3af, I'm generating one certificate. >> Will this certificate work for everyone that wants to use it, or will we >> need to update w3af so it generates a new certificate on the fly like in >> JMeter, or is generating one certificate version 1.0 of this process and the >> dynamic certificate generation like version 2.0? >> >> (Here's the documentation section I'm referring to in JMeter in case your >> interested: >> >> >> https://jmeter.apache.org/usermanual/component_reference.html#HTTP%28S%29_Test_Script_Recorder >> >> >> >> On Wed, Apr 30, 2014 at 12:51 PM, Andres Riancho >> <andres.rian...@gmail.com> wrote: >>> >>> Aaron, >>> >>> Thanks for re-sending to the mailing list :) It really helps the >>> community >>> >>> On Wed, Apr 30, 2014 at 3:21 PM, Aaron Tracy <atr...@gmail.com> wrote: >>> > Hey Andres, >>> > >>> > I haven't setup a CA before, but google showed me the following >>> > tutorial: >>> > >>> > >>> > https://codeghar.wordpress.com/2013/04/16/create-private-certificate-authority-on-linux/ >>> > >>> > I installed openssl and it's working properly on my Mac, however, >>> > before I >>> > go too far down this road, I wanted to get a peer review to make sure >>> > I'm >>> > on >>> > the right track. >>> >>> Good call, I love peer review, hate spending time when I'm unsure. >>> >>> I believe you're on the right track: generating a CA with openssl >>> and then create a new SSL certificate for the proxy to use. >>> >>> > If so, I'll need to have the caconfig.cnf file >>> > information >>> > (see the website) for w3af... if I'm totally off track here, help me >>> > get >>> > back on track :D >>> >>> Re: the caconfig.cnf , I would say that you can use the defaults. >>> >>> Please use the "proxy.fake.w3af.org" domain for the cert to generate. >>> >>> Something that would be nice to have is a README.rst file in the >>> directory where this info will live, explaining how to generate new >>> SSL certs, if they need, etc. >>> >>> > I'm logged into w3af on freenode as tracer2000... :D >>> >>> Ah, sorry, I've been offline these days (off-site) >>> >>> > Thanks for the Contributing 101 link :D I'm an avid github user so >>> > it >>> > made >>> > perfect sense to me :D >>> > >>> > Aaron >>> > >>> > >>> >> On Tue, Apr 29, 2014 at 6:27 AM, Andres Riancho >>> >> <andres.rian...@gmail.com> >>> >> wrote: >>> >>> >>> >>> Aaron, >>> >>> >>> >>> Thanks for the interest mate :) I believe that the best thing to >>> >>> do >>> >>> is: >>> >>> >>> >>> * Create a new CA using openssl, add it to the repository >>> >>> * Use that CA to create a new certificate that will be used >>> >>> with spiderman >>> >>> * Write a document here [0] about how to configure your >>> >>> browser to use spiderman with the new CA/cert >>> >>> >>> >>> Once that's done, we'll be able to worry about the migration to >>> >>> libmitmproxy >>> >>> >>> >>> You can send me the code as pull-requests, a guide on how to do >>> >>> it is >>> >>> here: >>> >>> https://github.com/andresriancho/w3af/wiki/Contributing-101 >>> >>> >>> >>> Let me know if you find issues in the document, potential >>> >>> improvements, etc. If you get stuck contact me on freenode IRC >>> >>> (__apr__ is my nickname on #w3af) >>> >>> >>> >>> [0] https://github.com/andresriancho/w3af/tree/master/doc/sphinx >>> >>> [1] https://github.com/andresriancho/w3af/issues/1269 >>> >>> >>> >>> On Mon, Apr 28, 2014 at 3:20 PM, Aaron Tracy <atr...@gmail.com> >>> >>> wrote: >>> >>> > Bring it on Andres! I'll be happy to help out with this! Where do >>> >>> > I >>> >>> > start? >>> >>> > >>> >>> > >>> >>> > On Mon, Apr 28, 2014 at 7:34 AM, Andres Riancho >>> >>> > <andres.rian...@gmail.com> >>> >>> > wrote: >>> >>> >> >>> >>> >> Aaron, >>> >>> >> >>> >>> >> Well, that's actually a very good question! I haven't used the >>> >>> >> spiderman proxy for years, and when I tried now (after reading >>> >>> >> your >>> >>> >> email) I realized that there is no CA being distributed with w3af. >>> >>> >> The >>> >>> >> certificate the w3af is using is at [0], but that's kind of >>> >>> >> useless to >>> >>> >> solve your problem. >>> >>> >> >>> >>> >> A while ago, and without actually hitting this bug, I was on >>> >>> >> the >>> >>> >> right path [1] to fixing it. Sadly, I'm not a spiderman user, so >>> >>> >> this >>> >>> >> will have low priority on my TODO list (see that I'm working on >>> >>> >> 1.6.1, >>> >>> >> a bug fix release, and [1] is in the 1.8 release). >>> >>> >> >>> >>> >> If you're interested in working on this issue, I would gladly >>> >>> >> help/guide you though each step. >>> >>> >> >>> >>> >> [0] >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/daemons/mitm.crt >>> >>> >> [1] >>> >>> >> >>> >>> >> >>> >>> >> https://github.com/andresriancho/w3af/issues/1269#issuecomment-37559070 >>> >>> >> >>> >>> >> On Wed, Apr 23, 2014 at 7:43 PM, Aaron Tracy <atr...@gmail.com> >>> >>> >> wrote: >>> >>> >> > Hi! Is there a tutorial somewhere I can follow on how to setup >>> >>> >> > the >>> >>> >> > SSL >>> >>> >> > Certificate Authority (CA) for the spiderman plugin? When I >>> >>> >> > attempt >>> >>> >> > to >>> >>> >> > manually browse my site via the spiderman proxy, I'm presented >>> >>> >> > with >>> >>> >> > the >>> >>> >> > "This connection is untrusted" dialog in Firefox and I'm not >>> >>> >> > permitted >>> >>> >> > to >>> >>> >> > the SSL pages. For Metasploit, I used a certificate that it >>> >>> >> > provided >>> >>> >> > for me >>> >>> >> > and that worked beautifully for their framework. Just curious >>> >>> >> > if >>> >>> >> > there's a >>> >>> >> > certificate I can install for w3af located somewhere that I can >>> >>> >> > install >>> >>> >> > for >>> >>> >> > spiderman or if I can get instructions on how to approach this >>> >>> >> > problem >>> >>> >> > with >>> >>> >> > w3af. >>> >>> >> > >>> >>> >> > Thanks! >>> >>> >> > >>> >>> >> > -- >>> >>> >> > Aaron >>> >>> >> > >>> >>> >> > >>> >>> >> > >>> >>> >> > >>> >>> >> > >>> >>> >> > ------------------------------------------------------------------------------ >>> >>> >> > Start Your Social Network Today - Download eXo Platform >>> >>> >> > Build your Enterprise Intranet with eXo Platform Software >>> >>> >> > Java Based Open Source Intranet - Social, Extensible, Cloud >>> >>> >> > Ready >>> >>> >> > Get Started Now And Turn Your Intranet Into A Collaboration >>> >>> >> > Platform >>> >>> >> > http://p.sf.net/sfu/ExoPlatform >>> >>> >> > _______________________________________________ >>> >>> >> > W3af-users mailing list >>> >>> >> > W3af-users@lists.sourceforge.net >>> >>> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >> > >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> -- >>> >>> >> Andrés Riancho >>> >>> >> Project Leader at w3af - http://w3af.org/ >>> >>> >> Web Application Attack and Audit Framework >>> >>> >> Twitter: @w3af >>> >>> >> GPG: 0x93C344F3 >>> >>> > >>> >>> > >>> >>> > >>> >>> > >>> >>> > -- >>> >>> > Aaron >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Andrés Riancho >>> >>> Project Leader at w3af - http://w3af.org/ >>> >>> Web Application Attack and Audit Framework >>> >>> Twitter: @w3af >>> >>> GPG: 0x93C344F3 >>> >> >>> >> >>> >> >>> >> >>> >> -- >>> >> Aaron >>> > >>> > >>> > >>> > -- >>> > Andrés Riancho >>> > Project Leader at w3af - http://w3af.org/ >>> > Web Application Attack and Audit Framework >>> > Twitter: @w3af >>> > GPG: 0x93C344F3 >>> > >>> > >>> > >>> > -- >>> > Aaron >>> > >>> > >>> > ------------------------------------------------------------------------------ >>> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >>> > Instantly run your Selenium tests across 300+ browser/OS combos. Get >>> > unparalleled scalability from the best Selenium testing platform >>> > available. >>> > Simple to use. Nothing to install. Get started now for free." >>> > http://p.sf.net/sfu/SauceLabs >>> > _______________________________________________ >>> > W3af-users mailing list >>> > W3af-users@lists.sourceforge.net >>> > https://lists.sourceforge.net/lists/listinfo/w3af-users >>> > >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> >> >> >> -- >> Aaron > > > > > -- > Aaron -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
