Re: [W3af-develop] Help needed - SAML-based auth plugin
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-develop] Help needed - SAML-based auth plugin
|
From: Andres R. <and...@gm...> - 2014-03-21 18:15:05
|
Andre, On Fri, Mar 21, 2014 at 2:47 PM, Andre Daniels <and...@uc...> wrote: > > Hello All, > > I have not been able to find one so I am attempting to build a SAML-based > auth plugin. I am digging around in the object hierarchy but I have not yet > fully understood a couple of things and was hoping someone could give me > some guidance. I have tested this script that can perform a SAML login using > a urllib2 object and a CookieJar but I am not yet sure how to integrate this > with the AuthPlugin class. > > The script executes this code: > > cj = cookielib.CookieJar() > self.opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) > > I am not sure how to intercept the urllib2 object that has the context of > the actual tests being performed. I need to process a login and then set > cookies for that object. > > I think I just need to use self.url_opener, yes? This object is the one > actually performing the tests? Yes, the self.url_opener of the auth plugins is the HTTP client used to send requests during the whole test. You need to use that one to authenticate with SAML, OR authenticate with a different one and then set the cookies in self.url_opener. > Additionally, how can I get the url being > tested from that object? Well, you don't get it from there because... it's not there! I recommend you to use the plugin configuration (see: get_options / set_options) to set the URL, username and password. > I am currently attempting to use self.url_opener to login into our IDP and > then set it's internal cookie jar with the cookies needed to perform further > authenticated tests. If you post your code to a gist, then I might be able to be of more help > Let me know if you have an suggestions. Also, are there any additional > documents describing the object model in w3af that I should view? Nope, but I'm always here to help and we can write a nice RST document for other auth plugin writers when we finish Regards, > Thanks, > Andre > > -- > Andre Daniels > Sr. Developer/Security Analyst > University of California Santa Cruz > (831)459-1980 > and...@uc... > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
