Re: [W3af-users] REST API authenticated scan help
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] REST API authenticated scan help
|
From: Andres R. <and...@gm...> - 2018-09-14 16:18:24
|
Snehil,
Answers and comments inline,
On Fri, Sep 14, 2018 at 10:03 AM <sne...@ei...> wrote:
>
> Hello,
>
> Recently, I started exploring REST API
> of w3af and stumbled upon few things which I couldn't understand and
> thought of seeking your advice.
>
> From the documentation it's understood that in order to initiate a scan
> following is the format :
>
> {
> "target_urls": ["http://127.0.0.1:8000/audit/sql_injection/"],
> "scan_profile":
> "[grep.strange_headers]\n\n[crawl.web_spider]\nonly_forward =
> False\nfollow_regex = .*\nignore_regex = \n\n"
> }
>
> w3af features different profiles which are located under
> https://github.com/andresriancho/w3af/tree/master/profiles
>
> Lets say, if I want to use OWASP TOP 10 profile for an authenticated
> scan using REST API /scan endpoint, what should be the format in the
> profile for form based authentication. I have checked the useful auth
> plugin but doesn't understand how to use these plugin inside a profile.
Something you could so is to run the w3af_gui, create your
configuration there, and then save the profile to a file. After saving
you can use it with the w3af REST API.
> for example: In OWASP TOP 10 profile, I can see under http settings
> options are there for basic authentication
> [http-settings]
> proxy_port = 8080
> url_parameter =
> never_404 =
> headers_file =
> proxy_address =
> basic_auth_domain =
> always_404 =
> max_http_retries = 2
> ntlm_auth_user =
> ntlm_auth_passwd =
> ignore_session_cookies = False
> timeout = 0
> user_agent = w3af.org
> basic_auth_user =
> basic_auth_passwd =
>
> My question is, how do I use form based credential/options in this
> profile ?
>
> I would be really grateful , if someone can answer this question for
> me with the help of an example or required format to perform such type
> of authenticated scan via REST API endpoint.
>
>
>
> Please provide an example format so that I can understand it clearly.
>
> Regards
> Snehil Khare
>
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
