Daniel, Just guessing, but I believe that the problem is here:
set data_format username=admin&password=password&csrfmiddlewaretoken=blahblahblah Specifically in the csrfmiddlewaretoken value will change each time w3af is run against your site; BUT will be kept static in the configuration. The solution would be to set an HTTP headers file with the same value. Haven't tested it, but it should look like this in w3af: http-settings set headers_file /tmp/django-headers.txt back And the file should contain: Cookie: csrfmiddlewaretoken=blahblahblah The cookie name might be different (not sure). The "blahblahblah" in both places should be replaced by a valid value in Django. Let me know how that goes, I'm interested in knowing :) Regards, On Fri, Jul 18, 2014 at 6:12 PM, Daniel Park <sudoco...@ymail.com> wrote: > Oh here is my w3af script for reference: > dpaste: 19YPJWG > > > > > > > dpaste: 19YPJWG > 659 bytes, Plain text Soft wrap Raw text Duplicate 1 2 3 4 5 6 7 8 9 10 > 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 > View on dpaste.com > Preview by Yahoo > > > Thanks, > Daniel > > > On Friday, July 18, 2014 2:10 PM, Daniel Park <sudoco...@ymail.com> wrote: > > > Hello, > > I'm trying to login into a Django app using w3af_console. I'm able to see a > sessionid cookie in the console output, but it seems like w3af is not saving > it to the cookies.txt. So after I'm able to POST and get back a session id > cookie, I can't seem access any secured URL's and get redirected back to the > login page. > > How can I configure w3af to save the session cookies? > > Thanks, > Daniel > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users