Re: [W3af-users] cookieJarFile Not Utilized
Status: Beta
Brought to you by:
andresriancho
From: Shawn W. <la...@gm...> - 2011-11-22 02:12:47
|
It's internal only. On Mon, Nov 21, 2011 at 7:06 PM, Andres Riancho <and...@gm...> wrote: > Shawn, > > Could you please send me the URL in a private email so I can try > to reproduce your issue? > > On Mon, Nov 21, 2011 at 10:32 PM, Shawn Webb <la...@gm...> wrote: >> w3af stops after scanning just a single page, even though the >> webSpider discovery plugin is enabled. >> >> On Mon, Nov 21, 2011 at 5:29 PM, Andres Riancho >> <and...@gm...> wrote: >>> Shawn, >>> >>> w3af shouldn't stop after that warning, is it? >>> >>> On Mon, Nov 21, 2011 at 9:25 PM, Shawn Webb <la...@gm...> wrote: >>>> I guess that's what I'm reporting. >>>> >>>> On Nov 21, 2011 5:11 PM, "Andres Riancho" <and...@gm...> wrote: >>>>> >>>>> Shawn, >>>>> >>>>> While w3af is officially supported under 2.6 it should work as >>>>> expected in 2.7 (let us know if it doesn't). >>>>> >>>>> Regards, >>>>> >>>>> On Mon, Nov 21, 2011 at 8:19 PM, Shawn Webb <la...@gm...> wrote: >>>>> > Just tried. Looks like it's not liking that the whole world has moved >>>>> > on beyond python 2.6. I even changed the shebang line to match the >>>>> > python2.6 binary and the latest w3af still complains about only being >>>>> > supported in python 2.6, even though it is running in python 2.6. >>>>> > >>>>> > On Mon, Nov 21, 2011 at 4:17 PM, Andres Riancho >>>>> > <and...@gm...> wrote: >>>>> >> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >>>>> >> >>>>> >> That's a very old version. Could you please download the latest from >>>>> >> the w3af site? >>>>> >> >>>>> >> Regards, >>>>> >> >>>>> >> On Mon, Nov 21, 2011 at 8:12 PM, Shawn Webb <la...@gm...> wrote: >>>>> >>> The version in Ubuntu 11.10's repo exhibits the same behavior. Nor is >>>>> >>> webSpider really finding anything: >>>>> >>> >>>>> >>> w3af>>> http-settings >>>>> >>> w3af/config:http-settings>>> set cookieJarFile /home/shawn/cookies.txt >>>>> >>> w3af/config:http-settings>>> back >>>>> >>> w3af>>> target >>>>> >>> w3af/config:target>>> set target http://[redacted]/ >>>>> >>> w3af/config:target>>> back >>>>> >>> w3af/plugins>>> audit xss, sqli, blindSqli >>>>> >>> w3af/plugins>>> discovery webSpider >>>>> >>> w3af/plugins>>> back >>>>> >>> w3af>>> start >>>>> >>> Auto-enabling plugin: grep.error500 >>>>> >>> Auto-enabling plugin: grep.httpAuthDetect >>>>> >>> The following is a list of broken links that were found by the >>>>> >>> webSpider plugin: >>>>> >>> - http://[redacted]/ [ referenced from: http://[redacted]/ ] >>>>> >>> Found 1 URLs and 1 different points of injection. >>>>> >>> The list of URLs is: >>>>> >>> - http://[redacted]/ >>>>> >>> The list of fuzzable requests is: >>>>> >>> - http://[redacted]/ | Method: GET >>>>> >>> Finished scanning process. >>>>> >>> w3af>>> version >>>>> >>> w3af - Web Application Attack and Audit Framework >>>>> >>> Version: 1.1 (from Debian Package 1.0-rc3svn3489-1) >>>>> >>> Author: Andres Riancho and the w3af team. >>>>> >>> >>>>> >>> Thanks, >>>>> >>> >>>>> >>> Shawn >>>>> >>> >>>>> >>> On Mon, Nov 21, 2011 at 2:11 PM, Shawn Webb <la...@gm...> wrote: >>>>> >>>> Looks like it's gonna be a major pain continuing to do this on >>>>> >>>> freebsd, since freebsd uses python 2.7 by default. w3af depends on >>>>> >>>> 2.6. I'll spin up a linux VM and see if it exhibits the same >>>>> >>>> behavior. >>>>> >>>> >>>>> >>>> On Mon, Nov 21, 2011 at 1:45 PM, Javier Andalia <jan...@gm...> >>>>> >>>> wrote: >>>>> >>>>> Hey Shawn, >>>>> >>>>> >>>>> >>>>> You can start with installing our last version [0] and tell us if >>>>> >>>>> that >>>>> >>>>> still happens. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Javier >>>>> >>>>> >>>>> >>>>> [0] https://sourceforge.net/projects/w3af/files/w3af/w3af%201.1/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Nov 21, 2011 at 5:31 PM, Shawn Webb <la...@gm...> >>>>> >>>>> wrote: >>>>> >>>>>> I'm testing using w3af against my employer's development sites. We >>>>> >>>>>> use >>>>> >>>>>> a load balancer based on nginx and haproxy which sets cookies to >>>>> >>>>>> forward (and keep) the user's browser to a specific lighttpd >>>>> >>>>>> server. I >>>>> >>>>>> exported firefox's cookies for our site and am using that with >>>>> >>>>>> w3af. >>>>> >>>>>> After running w3af, I see no hits in my lighttpd server's logfiles, >>>>> >>>>>> which makes be believe w3af isn't respecting the cookieJarFile >>>>> >>>>>> setting. Is there something other than simply setting that config >>>>> >>>>>> variable to the file that I should be doing? I just installed w3af >>>>> >>>>>> on >>>>> >>>>>> freebsd via ports. >>>>> >>>>>> >>>>> >>>>>> w3af version info: Version: 1.0-rc4 (from tgz) >>>>> >>>>>> >>>>> >>>>>> Thanks, >>>>> >>>>>> >>>>> >>>>>> Shawn >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> ------------------------------------------------------------------------------ >>>>> >>>>>> All the data continuously generated in your IT infrastructure >>>>> >>>>>> contains a definitive record of customers, application performance, >>>>> >>>>>> security threats, fraudulent activity, and more. Splunk takes this >>>>> >>>>>> data and makes sense of it. IT sense. And common sense. >>>>> >>>>>> http://p.sf.net/sfu/splunk-novd2d >>>>> >>>>>> _______________________________________________ >>>>> >>>>>> W3af-users mailing list >>>>> >>>>>> W3a...@li... >>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>>> >>> >>>>> >>> >>>>> >>> ------------------------------------------------------------------------------ >>>>> >>> All the data continuously generated in your IT infrastructure >>>>> >>> contains a definitive record of customers, application performance, >>>>> >>> security threats, fraudulent activity, and more. Splunk takes this >>>>> >>> data and makes sense of it. IT sense. And common sense. >>>>> >>> http://p.sf.net/sfu/splunk-novd2d >>>>> >>> _______________________________________________ >>>>> >>> W3af-users mailing list >>>>> >>> W3a...@li... >>>>> >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>>>> >>> >>>>> >> >>>>> >> >>>>> >> >>>>> >> -- >>>>> >> Andrés Riancho >>>>> >> Director of Web Security at Rapid7 LLC >>>>> >> Founder at Bonsai Information Security >>>>> >> Project Leader at w3af >>>>> >> >>>>> > >>>>> >>>>> >>>>> >>>>> -- >>>>> Andrés Riancho >>>>> Director of Web Security at Rapid7 LLC >>>>> Founder at Bonsai Information Security >>>>> Project Leader at w3af >>>> >>> >>> >>> >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >>> >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > |