Hi, I'm new to w3af and start to get deeper into authentication. I use only two PlugIns: crawl->web_spider and auth->detailed. The current site is using a form in phpLogin.php. This is doing a JS redirect so I use phpAccontSummary.php to verify if user was logged in successfully (searching there for "Log out").
This is the config for auth-detailed: [auth.detailed] username = pente...@mysystem.com password = EGjv4gmj username_field = txtUsername password_field = txtPassword auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php check_string = Log out data_format = %u=%U&%p=%P follow_redirects = False method = POST url_encode_params = True Due to the website logs, login for user "Pentest Pentest" (ID 3) was successful several times: 2018-04-25 09:12:25 USER_LOGIN_SUCCESS Pentest Pentest (3) 2018-04-25 09:12:20 USER_LOGIN_SUCCESS Pentest Pentest (3) 2018-04-25 09:12:15 USER_LOGIN_SUCCESS Pentest Pentest (3) In the GUI log I get this: [Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as pente...@mysystem.com/EGjv4gmj In the console output (using GUI) of w3af I can find such entries: GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None) User "pente...@mysystem.com" is NOT logged into the application POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: "txtUsername=pente...@mysystem.com&txtPassword=EGjv4gmj" returned HTTP code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None) GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None) User "pente...@mysystem.com" is currently logged into the application Login success for pente...@mysystem.com/EGjv4gmj detailed._login() took 0.11s to run (...many other spider entries...) GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None) User "pente...@mysystem.com" is NOT logged into the application (...a few other spider entries...) ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None) User "pente...@mysystem.com" is currently logged into the application Login success for pente...@mysystem.com/EGjv4gmj detailed._login() took 0.18s to run (...many other spider entries...) GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None) User "pente...@mysystem.com" is NOT logged into the application web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php) web_spider is testing "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"; [web_spider] Crawling "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"; GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None) web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php";) took 0.02s to run POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: "txtUsername=pente...@mysystem.com&txtPassword=EGjv4gmj" returned HTTP code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None) GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None) User "pente...@mysystem.com" is NOT logged into the application Can't login into web application as pente...@mysystem.com/EGjv4gmj So this are very mixed results (sometimes success sometimes not) and I do not know why it sometimes reports successful login and sometimes it does not? Due to the request navigator and the results to phpLogin.php there, login was always successful if w3af sent the correct login data by POST. I can see that phpAccontSummary.php delivered positive results sometimes. Also, even if it was successful, it seems it does not spider the links found in phpAccontSummary.php. All the new links inside there are not listed in the URL's found. I can see that w3af does not send the session cookie received during the first phpLogin.php all the time. It seems to forget sometimes. If not set, the webpage creates a new sessionid and returns it. So the logged in session is somehow lost. Why is it not always sending the session cookie? In Configuration->HTTP Config->Cookies, the ignore option is NOT set and the cookie_jar_file is empty. Anything to do here? I'm a little bit lost now because the things I see seem not logical to me at all :( Best Kukulkan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
