Re: [W3af-users] REST API authenticated scan help

Fri, 14 Sep 2018 09:19:01 -0700 

Snehil,

Answers and comments inline,

On Fri, Sep 14, 2018 at 10:03 AM <snehil.kh...@eioneus.com> wrote:
>
> Hello,
>
> Recently, I started exploring REST API
> of w3af and stumbled upon few things which I couldn't understand and
> thought of seeking your advice.
>
>   From the documentation it's understood that in order to initiate a scan
> following is the format :
>
> {
>       "target_urls": ["http://127.0.0.1:8000/audit/sql_injection/";],
>       "scan_profile":
> "[grep.strange_headers]\n\n[crawl.web_spider]\nonly_forward =
> False\nfollow_regex = .*\nignore_regex = \n\n"
> }
>
> w3af features different profiles which are located under
> https://github.com/andresriancho/w3af/tree/master/profiles
>
> Lets say, if I want to use OWASP TOP 10 profile for an authenticated
> scan using REST API /scan endpoint, what should be the format in the
> profile for form based authentication. I have checked the useful auth
> plugin but doesn't understand how to use these plugin inside a profile.

Something you could so is to run the w3af_gui, create your
configuration there, and then save the profile to a file. After saving
you can use it with the w3af REST API.

> for example: In OWASP TOP 10 profile, I can see under http settings
> options are there for basic authentication
> [http-settings]
> proxy_port = 8080
> url_parameter =
> never_404 =
> headers_file =
> proxy_address =
> basic_auth_domain =
> always_404 =
> max_http_retries = 2
> ntlm_auth_user =
> ntlm_auth_passwd =
> ignore_session_cookies = False
> timeout = 0
> user_agent = w3af.org
> basic_auth_user =
> basic_auth_passwd =
>
> My question is, how do I use form based credential/options in this
> profile ?
>
> I would be really grateful , if someone can answer this question for
> me with the help of an example or required format to perform such type
> of authenticated scan via REST API endpoint.
>
>
>
> Please provide an example format so that I can understand it clearly.
>
> Regards
> Snehil Khare
>
>
> _______________________________________________
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3


_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to