Re: [W3af-users] Authenticated spider issues and questions
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] Authenticated spider issues and questions
|
From: Andres R. <and...@gm...> - 2018-04-25 12:59:52
|
Kukulkan,
Answers inline,
On Wed, Apr 25, 2018 at 4:33 AM, Volker Schmid <vol...@re...> wrote:
> Hi,
>
> I'm new to w3af and start to get deeper into authentication. I use only two
> PlugIns: crawl->web_spider and auth->detailed. The current site is using a
> form in phpLogin.php. This is doing a JS redirect so I use
> phpAccontSummary.php to verify if user was logged in successfully (searching
> there for "Log out").
>
> This is the config for auth-detailed:
> [auth.detailed]
> username = pen...@my...
> password = EGjv4gmj
> username_field = txtUsername
> password_field = txtPassword
> auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
> check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
> check_string = Log out
> data_format = %u=%U&%p=%P
> follow_redirects = False
> method = POST
> url_encode_params = True
>
>
> Due to the website logs, login for user "Pentest Pentest" (ID 3) was
> successful several times:
>
> 2018-04-25 09:12:25 USER_LOGIN_SUCCESS Pentest Pentest (3)
> 2018-04-25 09:12:20 USER_LOGIN_SUCCESS Pentest Pentest (3)
> 2018-04-25 09:12:15 USER_LOGIN_SUCCESS Pentest Pentest (3)
>
>
> In the GUI log I get this:
>
> [Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as
> pen...@my.../EGjv4gmj
.
>
> In the console output (using GUI) of w3af I can find such entries:
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pen...@my..." is NOT logged into the application
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pen...@my...&txtPassword=EGjv4gmj" returned HTTP
> code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
> User "pen...@my..." is currently logged into the application
> Login success for pen...@my.../EGjv4gmj
> detailed._login() took 0.11s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pen...@my..." is NOT logged into the application
Maybe the web_spider is following the logout link, which is
invalidating the session?
You should ignore logout urls when doing auth scans
> (...a few other spider entries...)
>
> ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
> User "pen...@my..." is currently logged into the application
> Login success for pen...@my.../EGjv4gmj
> detailed._login() took 0.18s to run
>
> (...many other spider entries...)
>
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pen...@my..." is NOT logged into the application
> web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
> web_spider is testing
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"
> [web_spider] Crawling
> "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"
> GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned
> HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
> web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php")
> took 0.02s to run
> POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with
> data: "txtUsername=pen...@my...&txtPassword=EGjv4gmj" returned HTTP
> code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
> GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP
> code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
> User "pen...@my..." is NOT logged into the application
> Can't login into web application as pen...@my.../EGjv4gmj
>
> So this are very mixed results (sometimes success sometimes not) and I do
> not know why it sometimes reports successful login and sometimes it does
> not?
>
> Due to the request navigator and the results to phpLogin.php there, login
> was always successful if w3af sent the correct login data by POST. I can see
> that phpAccontSummary.php delivered positive results sometimes.
>
> Also, even if it was successful, it seems it does not spider the links found
> in phpAccontSummary.php. All the new links inside there are not listed in
> the URL's found.
Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?
> I can see that w3af does not send the session cookie received during the
> first phpLogin.php all the time. It seems to forget sometimes. If not set,
> the webpage creates a new sessionid and returns it. So the logged in session
> is somehow lost. Why is it not always sending the session cookie? In
> Configuration->HTTP Config->Cookies, the ignore option is NOT set and the
> cookie_jar_file is empty. Anything to do here?
No, lets try with the things I recommended above, if that doesn't work
we'll try giving w3af a cookie via config/http/cookies
> I'm a little bit lost now because the things I see seem not logical to me at
> all :(
>
> Best
>
> Kukulkan
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
