Hello,
Recently, I started exploring REST API
of w3af and stumbled upon few things which I couldn't understand and
thought of seeking your advice.
From the documentation it's understood that in order to initiate a scan
following is the format :
{
"target_urls": ["http://127.0.0.1:8000/audit/sql_injection/";],
"scan_profile":
"[grep.strange_headers]\n\n[crawl.web_spider]\nonly_forward =
False\nfollow_regex = .*\nignore_regex = \n\n"
}
w3af features different profiles which are located under
https://github.com/andresriancho/w3af/tree/master/profiles
Lets say, if I want to use OWASP TOP 10 profile for an authenticated
scan using REST API /scan endpoint, what should be the format in the
profile for form based authentication. I have checked the useful auth
plugin but doesn't understand how to use these plugin inside a profile.
for example: In OWASP TOP 10 profile, I can see under http settings
options are there for basic authentication
[http-settings]
proxy_port = 8080
url_parameter =
never_404 =
headers_file =
proxy_address =
basic_auth_domain =
always_404 =
max_http_retries = 2
ntlm_auth_user =
ntlm_auth_passwd =
ignore_session_cookies = False
timeout = 0
user_agent = w3af.org
basic_auth_user =
basic_auth_passwd =
My question is, how do I use form based credential/options in this
profile ?
I would be really grateful , if someone can answer this question for
me with the help of an example or required format to perform such type
of authenticated scan via REST API endpoint.
Please provide an example format so that I can understand it clearly.
Regards
Snehil Khare
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
