Kukulkan,
The authentication plugins do not send the login / check URLs to
the core. So any URL you put in the configuration, or is a result of
requesting those URLs will not make it to other plugins / the crawler.
That was the original design and is working as expected. Might not
be ideal for cases (yours?)... we'll see!
When the user configures authentication plugins, those are run at
the beginning of the scan [0][1], before sending "almost any other
request" and before the crawling plugins. This means that you could
configure w3af like this:
* auth plugin logins the scanner
* the scanner will re-use cookies just like any browser (like
you mention above)
* crawl plugin will re-use cookies to follow the links you set
in the target. Remember that you can set the target to a comma
separated list of URLs, that might help.
Those steps will be run in that order, so the crawler should have
cookies when reaching the target.
The GUI is NOT maintained and I don't recommend using it. Use the
console or REST API.
w3af doesn't support javascript, so it won't be able to extract
"phpAccountSummary.php" from:
```
<script type="text/javascript">
window.setTimeout("window.location.href = 'phpAccountSummary.php';", 0);
</script>
```
If you want me to help a little bit more, please do send me scan
logs with debugging information and HTTP requests (both files are
generated by text_file plugin)
[0]
https://github.com/andresriancho/w3af/blob/39004228300e1eb38ae0cdb3946725e7a3adb8c8/w3af/core/controllers/core_helpers/strategy.py#L649
[1]
https://github.com/andresriancho/w3af/blob/39004228300e1eb38ae0cdb3946725e7a3adb8c8/w3af/core/controllers/core_helpers/strategy.py#L111-L112
On Thu, Apr 26, 2018 at 7:31 AM, Volker Schmid <volker.sch...@regify.com> wrote:
> Hello Andres,
>
> I created a cookie file and tried again. Now it seems to use the cookie, but
> spider is still not successful. I can see that it spidered several pages but
> it does not follow the links inside. Looks like it does not even try to
> spider the page that was found in login page result like this:
>
> <script type="text/javascript">
> window.setTimeout("window.location.href = 'phpAccountSummary.php';", 0);
> </script>
>
> It just inspects the few pages linked on the start and login page. But it
> does not spider the pages behind. I thought it would also use the page I set
> for login verification (phpAccountSummary.php). It opens it, even successful
> after login, but it does not spider the links inside there.
>
> Again, if I set the spider target directly to
> https://vsprovider2.de.mysystem.com/phpAccountSummary.php, the
> "Results"->"URLs" stays completely empty.
>
> I also have to restart w3af GUI each time I scanned because any further
> action leads to crashes, strange GUI behaviour (missing values in scan
> config fields) or missing logs and URL's in "Results" view occasionally. The
> GUI seems very buggy to me.
> Is there some other, more stable version available? And is there a more
> sophisticated authentication/spider PlugIn available?
>
> Thanks,
>
> Kukulkan
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
