Re: [W3af-users] cookieJarFile Not Utilized
Status: Beta
Brought to you by:
andresriancho
From: Andres R. <and...@gm...> - 2011-11-22 00:30:19
|
Shawn, w3af shouldn't stop after that warning, is it? On Mon, Nov 21, 2011 at 9:25 PM, Shawn Webb <la...@gm...> wrote: > I guess that's what I'm reporting. > > On Nov 21, 2011 5:11 PM, "Andres Riancho" <and...@gm...> wrote: >> >> Shawn, >> >> While w3af is officially supported under 2.6 it should work as >> expected in 2.7 (let us know if it doesn't). >> >> Regards, >> >> On Mon, Nov 21, 2011 at 8:19 PM, Shawn Webb <la...@gm...> wrote: >> > Just tried. Looks like it's not liking that the whole world has moved >> > on beyond python 2.6. I even changed the shebang line to match the >> > python2.6 binary and the latest w3af still complains about only being >> > supported in python 2.6, even though it is running in python 2.6. >> > >> > On Mon, Nov 21, 2011 at 4:17 PM, Andres Riancho >> > <and...@gm...> wrote: >> >> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >> >> >> >> That's a very old version. Could you please download the latest from >> >> the w3af site? >> >> >> >> Regards, >> >> >> >> On Mon, Nov 21, 2011 at 8:12 PM, Shawn Webb <la...@gm...> wrote: >> >>> The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is >> >>> webSpider really finding anything: >> >>> >> >>> w3af>>> http-settings >> >>> w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt >> >>> w3af/config:http-settings>>> back >> >>> w3af>>> target >> >>> w3af/config:target>>> set target http://[redacted]/ >> >>> w3af/config:target>>> back >> >>> w3af/plugins>>> audit xss, sqli, blindSqli >> >>> w3af/plugins>>> discovery webSpider >> >>> w3af/plugins>>> back >> >>> w3af>>> start >> >>> Auto-enabling plugin: grep.error500 >> >>> Auto-enabling plugin: grep.httpAuthDetect >> >>> The following is a list of broken links that were found by the >> >>> webSpider plugin: >> >>> - http://[redacted]/ [ referenced from: http://[redacted]/ ] >> >>> Found 1 URLs and 1 different points of injection. >> >>> The list of URLs is: >> >>> - http://[redacted]/ >> >>> The list of fuzzable requests is: >> >>> - http://[redacted]/ | Method: GET >> >>> Finished scanning process. >> >>> w3af>>> version >> >>> w3af - Web Application Attack and Audit Framework >> >>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >> >>> Author: Andres Riancho and the w3af team. >> >>> >> >>> Thanks, >> >>> >> >>> Shawn >> >>> >> >>> On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <la...@gm...> wrote: >> >>>> Looks like it's gonna be a major pain continuing to do this on >> >>>> freebsd, since freebsd uses python 2.7 by default. w3af depends on >> >>>> 2.6. I'll spin up a linux VM and see if it exhibits the same >> >>>> behavior. >> >>>> >> >>>> On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <jan...@gm...> >> >>>> wrote: >> >>>>> Hey Shawn, >> >>>>> >> >>>>> You can start with installing our last version [0] and tell us if >> >>>>> that >> >>>>> still happens. >> >>>>> >> >>>>> Regards, >> >>>>> >> >>>>> Javier >> >>>>> >> >>>>> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/ >> >>>>> >> >>>>> >> >>>>> >> >>>>> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <la...@gm...> >> >>>>> wrote: >> >>>>>> I'm testing using w3af against my employer's development sites. We >> >>>>>> use >> >>>>>> a load balancer based on nginx and haproxy which sets cookies to >> >>>>>> forward (and keep) the user's browser to a specific lighttpd >> >>>>>> server. I >> >>>>>> exported firefox's cookies for our site and am using that with >> >>>>>> w3af. >> >>>>>> After running w3af, I see no hits in my lighttpd server's logfiles, >> >>>>>> which makes be believe w3af isn't respecting the cookieJarFile >> >>>>>> setting. Is there something other than simply setting that config >> >>>>>> variable to the file that I should be doing? I just installed w3af >> >>>>>> on >> >>>>>> freebsd via ports. >> >>>>>> >> >>>>>> w3af version info: Version: 1.0-rc4 (from tgz) >> >>>>>> >> >>>>>> Thanks, >> >>>>>> >> >>>>>> Shawn >> >>>>>> >> >>>>>> >> >>>>>> ------------------------------------------------------------------------------ >> >>>>>> All the data continuously generated in your IT infrastructure >> >>>>>> contains a definitive record of customers, application performance, >> >>>>>> security threats, fraudulent activity, and more. Splunk takes this >> >>>>>> data and makes sense of it. IT sense. And common sense. >> >>>>>> http://p.sf.net/sfu/splunk-novd2d >> >>>>>> _______________________________________________ >> >>>>>> W3af-users mailing list >> >>>>>> W3a...@li... >> >>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >>>>>> >> >>>>> >> >>>> >> >>> >> >>> >> >>> ------------------------------------------------------------------------------ >> >>> All the data continuously generated in your IT infrastructure >> >>> contains a definitive record of customers, application performance, >> >>> security threats, fraudulent activity, and more. Splunk takes this >> >>> data and makes sense of it. IT sense. And common sense. >> >>> http://p.sf.net/sfu/splunk-novd2d >> >>> _______________________________________________ >> >>> W3af-users mailing list >> >>> W3a...@li... >> >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >>> >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Director of Web Security at Rapid7 LLC >> >> Founder at Bonsai Information Security >> >> Project Leader at w3af >> >> >> > >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af |