Kukulkan,

    Answers inline,

On Wed, Apr 25, 2018 at 4:33 AM, Volker Schmid <volker.sch...@regify.com> wrote:
> Hi,
>
> I'm new to w3af and start to get deeper into authentication. I use only two
> PlugIns: crawl->web_spider and auth->detailed. The current site is using a
> form in phpLogin.php. This is doing a JS redirect so I use
> phpAccontSummary.php to verify if user was logged in successfully (searching
> there for "Log out").
>
> This is the config for auth-detailed:
> [auth.detailed]
> username = pente...@mysystem.com
> password = EGjv4gmj
> username_field = txtUsername
> password_field = txtPassword
> auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
> check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
> check_string = Log out
> data_format = %u=%U&%p=%P
> follow_redirects = False
> method = POST
> url_encode_params = True
>
>
> Due to the website logs, login for user "Pentest Pentest" (ID 3) was
> successful several times:
>
> 2018-04-25 09:12:25     USER_LOGIN_SUCCESS      Pentest Pentest (3)
> 2018-04-25 09:12:20     USER_LOGIN_SUCCESS      Pentest Pentest (3)
> 2018-04-25 09:12:15     USER_LOGIN_SUCCESS      Pentest Pentest (3)
>
>
> In the GUI log I get this:
>
> [Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as
> pente...@mysystem.com/EGjv4gmj
.
>
> In the console output (using GUI) of w3af I can find such entries:
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com&txtPassword=EGjv4gmj" returned HTTP
> code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.11s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is NOT logged into the application

Maybe the web_spider is following the logout link, which is
invalidating the session?

You should ignore logout urls when doing auth scans

> (...a few other spider entries...)
>
> ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pente...@mysystem.com" is currently logged into the application
> Login success for pente...@mysystem.com/EGjv4gmj
> detailed._login() took 0.18s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
> web_spider is testing
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php";
> [web_spider] Crawling
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php";
> GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned
> HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
> web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php";)
> took 0.02s to run
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pente...@mysystem.com&txtPassword=EGjv4gmj" returned HTTP
> code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pente...@mysystem.com" is NOT logged into the application
> Can't login into web application as pente...@mysystem.com/EGjv4gmj
>
> So this are very mixed results (sometimes success sometimes not) and I do
> not know why it sometimes reports successful login and sometimes it does
> not?
>
> Due to the request navigator and the results to phpLogin.php there, login
> was always successful if w3af sent the correct login data by POST. I can see
> that phpAccontSummary.php delivered positive results sometimes.
>
> Also, even if it was successful, it seems it does not spider the links found
> in phpAccontSummary.php. All the new links inside there are not listed in
> the URL's found.

Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?

> I can see that w3af does not send the session cookie received during the
> first phpLogin.php all the time. It seems to forget sometimes. If not set,
> the webpage creates a new sessionid and returns it. So the logged in session
> is somehow lost. Why is it not always sending the session cookie? In
> Configuration->HTTP Config->Cookies, the ignore option is NOT set and the
> cookie_jar_file is empty. Anything to do here?

No, lets try with the things I recommended above, if that doesn't work
we'll try giving w3af a cookie via config/http/cookies

> I'm a little bit lost now because the things I see seem not logical to me at
> all :(
>
> Best
>
> Kukulkan
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to