Sorry for the very late response, I was offline.
The framework's blacklist should take care of blocking all requests,
to any URL you specify in the blacklist. I haven't tested your
specific case, but I don't see why it wouldn't work [0].
If you want to see this fixed, please send me an easy way to reproduce it:
* A w3af script with an online target
* A failing unittest written in python like [1]
[0]
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/url/handlers/blacklist.py#L58
[1]
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/url/handlers/tests/test_blacklist.py
On Wed, May 21, 2014 at 2:54 AM, Vojtěch Polášek <krec...@gmail.com> wrote:
> Hi,
> Okay. The target application is heavily dynamic (JSP). So I selected
> following way of scanning:
> I want to scan an authenticated part of the application.
> 1. I log in and export my cookie.
> 2. I created a profile which performs various testing, but main source
> of URLs is spider_man, because of technology in use.
> This profile uses exported cookie for maintaining session.
> But whenever anyone who has valid session cookie visits
> xxx.xxx.xxx.xxx/, the cookie is invalidated and so my scan returns no
> interesting results after doing this.
> For example, session breaks after probably phpinfo plugin visits:
> xxx.xxx.xxx.xxx/?mode=phpinfo
> I simply want to blacklist this individual URL:
> xxx.xxx.xxx.xxx/
>
> Or is there any other way of doing authenticated scan in this conditions?
> Thanks,
> Vojta
> Dne 20.5.2014 21:42, Andres Riancho napsal(a):
>> Vojtech,
>>
>> Please read inline,
>>
>> On Tue, May 20, 2014 at 4:41 AM, Vojtěch Polášek <krec...@gmail.com> wrote:
>>> Hi,
>>> I am scanning a web application which is quite dynamic.
>>> I have to use spider_man to walk through it. There is one problem -
>>> whenever anyone tries to access its root URL (http://xxx.xxx.xxx.xxx/)
>>> it is redirected to a login form and therefore current cookie loses its
>>> validity.
>>> Is there any possibility to prevent every plugin from scanning this URL?
>> Well... I believe you've found a rather strange bug. Let me better
>> understand:
>> * What's the target you're setting for the scan?
>> * Which URL is going into the blacklist?
>>
>>
>>> I added it into ignored urls in misc settings, but it doesn't help.
>>> Thanks,
>>> Vojta
>>>
>>> ------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos.
>>> Get unparalleled scalability from the best Selenium testing platform
>>> available
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>> _______________________________________________
>>> W3af-users mailing list
>>> W3af-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
