Daniel,

    Just guessing, but I believe that the problem is here:

        set data_format
username=admin&password=password&csrfmiddlewaretoken=blahblahblah

    Specifically in the csrfmiddlewaretoken value will change each
time w3af is run against your site; BUT will be kept static in the
configuration. The solution would be to set an HTTP headers file with
the same value. Haven't tested it, but it should look like this in
w3af:

http-settings
set headers_file /tmp/django-headers.txt
back

    And the file should contain:

Cookie: csrfmiddlewaretoken=blahblahblah

    The cookie name might be different (not sure). The "blahblahblah"
in both places should be replaced by a valid value in Django.

    Let me know how that goes, I'm interested in knowing :)

Regards,

On Fri, Jul 18, 2014 at 6:12 PM, Daniel Park <sudoco...@ymail.com> wrote:
> Oh here is my w3af script for reference:
> dpaste: 19YPJWG
>
>
>
>
>
>
> dpaste: 19YPJWG
> 659 bytes, Plain text     Soft wrap Raw text Duplicate 1 2 3 4 5 6 7 8 9 10
> 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
> View on dpaste.com
> Preview by Yahoo
>
>
> Thanks,
> Daniel
>
>
> On Friday, July 18, 2014 2:10 PM, Daniel Park <sudoco...@ymail.com> wrote:
>
>
> Hello,
>
> I'm trying to login into a Django app using w3af_console. I'm able to see a
> sessionid cookie in the console output, but it seems like w3af is not saving
> it to the cookies.txt. So after I'm able to POST and get back a session id
> cookie, I can't seem access any secured URL's and get redirected back to the
> login page.
>
> How can I configure w3af to save the session cookies?
>
> Thanks,
> Daniel
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to