w3af-develop Mailing List for w3af
Status: Beta
Brought to you by:
andresriancho
You can subscribe to this list here.
2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
From: k b. <amb...@gm...> - 2021-08-05 09:56:49
|
Hello Team, I am facing multiple issues with w3af installation and usage. I will list down the issues. Please help me through this 1) I used the binary release from sourceforge page to install w3af in windows. Is there documentation on installation for windows? 2) I see that the docker image in the hub is updated 6 years back. Can you push the latest image? 3) Using the existing docker image, I am not able to see the crawl.open_api to use w3af to scan APIs. 4) When i follow the existing installation for linux (using AWS), i get the below error, ERROR: Command errored out with exit status 1: command: /usr/bin/python2 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-nSr2ry/lz4/setup.py'"'"'; __file__='"'"'/tmp/pip-install-nSr2ry/lz4/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-YLOY_u cwd: /tmp/pip-install-nSr2ry/lz4/ Complete output (106 lines): /tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/src <pkg_resources.WorkingSet object at 0x7f95a3f41e10> Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-install-nSr2ry/lz4/setup.py", line 169, in <module> 'Programming Language :: Python :: 3.6', File "/usr/lib/python2.7/site-packages/setuptools/__init__.py", line 144, in setup _install_setup_requires(attrs) File "/usr/lib/python2.7/site-packages/setuptools/__init__.py", line 139, in _install_setup_requires dist.fetch_build_eggs(dist.setup_requires) File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 719, in fetch_build_eggs replace_conflicting=True, File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 782, in resolve replace_conflicting=replace_conflicting File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1065, in best_match return self.obtain(req, installer) File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1077, in obtain return installer(requirement) File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 786, in fetch_build_egg return cmd.easy_install(req) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 678, in easy_install return self.install_item(spec, dist.location, tmpdir, deps) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 704, in install_item dists = self.install_eggs(spec, download, tmpdir) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 889, in install_eggs return self.build_and_install(setup_script, setup_base) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1157, in build_and_install self.run_setup(setup_script, setup_base, args) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1143, in run_setup run_setup(setup_script, args) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 253, in run_setup raise File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 166, in save_modules saved_exc.resume() File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 141, in resume six.reraise(type, exc, self._tb) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 154, in save_modules yield saved File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 250, in run_setup _execfile(setup_script, ns) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 45, in _execfile exec(code, globals, locals) File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/setup.py", line 21, in <module> pass File "/usr/lib/python2.7/site-packages/setuptools/__init__.py", line 144, in setup _install_setup_requires(attrs) File "/usr/lib/python2.7/site-packages/setuptools/__init__.py", line 139, in _install_setup_requires dist.fetch_build_eggs(dist.setup_requires) File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 719, in fetch_build_eggs replace_conflicting=True, File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 782, in resolve replace_conflicting=replace_conflicting File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1065, in best_match return self.obtain(req, installer) File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1077, in obtain return installer(requirement) File "/usr/lib/python2.7/site-packages/setuptools/dist.py", line 786, in fetch_build_egg return cmd.easy_install(req) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 678, in easy_install return self.install_item(spec, dist.location, tmpdir, deps) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 704, in install_item dists = self.install_eggs(spec, download, tmpdir) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 889, in install_eggs return self.build_and_install(setup_script, setup_base) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1157, in build_and_install self.run_setup(setup_script, setup_base, args) File "/usr/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1143, in run_setup run_setup(setup_script, args) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 253, in run_setup raise File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 166, in save_modules saved_exc.resume() File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 141, in resume six.reraise(type, exc, self._tb) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 154, in save_modules yield saved File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 195, in setup_context yield File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 250, in run_setup _execfile(setup_script, ns) File "/usr/lib/python2.7/site-packages/setuptools/sandbox.py", line 45, in _execfile exec(code, globals, locals) File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/setup.py", line 52, in <module> File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/setup.py", line 29, in scm_config File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/src/setuptools_scm/__init__.py", line 8, in <module> File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/src/setuptools_scm/config.py", line 6, in <module> File "/tmp/easy_install-38pu2k/pytest-runner-5.3.1/temp/easy_install-4V3n1Y/setuptools_scm-6.0.1/src/setuptools_scm/utils.py", line 41 print(*k) ^ SyntaxError: invalid syntax ---------------------------------------- ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output. can someone help me on this please. 5) While trying the REST APIs, when i use the below command curl -i --globoff -k --no-ssl -H "Content-Type: application/json" -H "User-Agent: python-requests/2.6.1 CPython/2.7.6 Linux/3.13.0-49-generic" -X POST -d {"target_urls": "http://juiceshoptest123456.herokuapp.com/","scan_profile": "[crawl.web_spider]"} -u admin:secret https://127.0.0.1:5000/scans i get the below error HTTP/1.1 500 Internal Server Error Server: Cowboy Connection: keep-alive Access-Control-Allow-Origin: * X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Feature-Policy: payment 'self' Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Thu, 05 Aug 2021 09:46:17 GMT Transfer-Encoding: chunked Via: 1.1 vegur <html> <head> <meta charset='utf-8'> <title>SyntaxError: Unexpected token t in JSON at position 1</title> <style>* { margin: 0; padding: 0; outline: 0; } body { padding: 80px 100px; font: 13px "Helvetica Neue", "Lucida Grande", "Arial"; background: #ECE9E9 -webkit-gradient(linear, 0% 0%, 0% 100%, from(#fff), to(#ECE9E9)); background: #ECE9E9 -moz-linear-gradient(top, #fff, #ECE9E9); background-repeat: no-repeat; color: #555; -webkit-font-smoothing: antialiased; } h1, h2 { font-size: 22px; color: #343434; } h1 em, h2 em { padding: 0 5px; font-weight: normal; } h1 { font-size: 60px; } h2 { margin-top: 10px; } ul li { list-style: none; } #stacktrace { margin-left: 60px; } </style> </head> <body> <div id="wrapper"> <h1>OWASP Juice Shop (Express ^4.17.1)</h1> <h2><em>500</em> SyntaxError: Unexpected token t in JSON at position 1</h2> <ul id="stacktrace"><li> at JSON.parse (<anonymous>)</li><li> at jsonParser (/app/build/server.js:236:33)</li><li> at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)</li><li> at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13)</li><li> at /app/node_modules/express/lib/router/index.js:284:7</li><li> at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)</li><li> at next (/app/node_modules/express/lib/router/index.js:275:10)</li><li> at /app/node_modules/body-parser/lib/read.js:130:5</li><li> at invokeCallback (/app/node_modules/raw-body/index.js:224:16)</li><li> at done (/app/node_modules/raw-body/index.js:213:7)</li><li> at IncomingMessage.onEnd (/app/node_modules/raw-body/index.js:273:7)</li><li> at IncomingMessage.emit (node:events:381:22)</li><li> at endReadableNT (node:internal/streams/readable:1307:12)</li><li> at processTicksAndRejections (node:internal/process/task_queues:81:21)</li></ul> </div> </body> </html> curl: (6) Could not resolve host: [crawl.web_spider]} curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol please help Thanks in advance -- k.bhuvaneshwari |
From: Andres R. <and...@gm...> - 2019-04-05 12:48:36
|
List, Its been a long time, and the list is very inactive, but if you've been paying attention to the GitHub commit logs [0] you'll notice that the project is very much alive and improving every day! At this point I'm looking for beta-testers for the initial implementation of our JavaScript crawler. The crawler is based on headless Chrome and can (at least for now) load a URL, click on all page elements, and capture HTTP requests generated by Chrome using an HTTP proxy. If you have a few minutes to spare please download the latest from the `feature/js` branch: git clone https://github.com/andresriancho/w3af.git cd w3af git checkout feature/js virtualenv venv . venv/bin/activate ./w3af_console That will prompt you to install all dependencies, please do so and then follow the instructions in the chrome/README.md [1]. Make sure to change the target in the scan script! The goal is to find issues with this new and beta feature. You'll most likely get crashes, exceptions, scans that take a lot of time, etc. Please report all those to w3af's issue tracker [2] to get them fixed. Thanks! [0] https://github.com/andresriancho/w3af/commits/develop [1] https://github.com/andresriancho/w3af/tree/feature/js/w3af/core/controllers/chrome [2] https://github.com/andresriancho/w3af/issues/new Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2016-08-17 12:57:01
|
That might be a bug, please report the steps to reproduce it and details following: http://docs.w3af.org/en/latest/report-a-bug.html On Wed, Aug 17, 2016 at 9:42 AM, Abhay Bhargav <abh...@gm...> wrote: > In the UI when I use the burp input it asks me to enter the csv input as > well. I don't have a csv file, how do I get past that? > > > On Wednesday, 17 August 2016, Andres Riancho <and...@gm...> > wrote: >> >> import_results is often used with [0], there you can find a >> clarification on how data is expected. >> >> You can enter b64 and/or burp files as input >> >> [0] >> https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/export_requests.py#L98-L113 >> >> On Wed, Aug 17, 2016 at 8:07 AM, Abhay Bhargav <abh...@gm...> >> wrote: >> > I am a little confused with the import_results plugin. When I see the >> > source >> > code, it seems to extract from a Base64 or Burp file, but in the UI, it >> > appears to take in a csv and/or a Burp File. So which one is to be >> > given? >> > Also, what is the format of the csv or Base64? >> > >> > Also - Does it need both types of files (CSV/Base64 and Burp) or only >> > one >> > type of file? >> > >> > >> > ------------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > W3af-develop mailing list >> > W3a...@li... >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > -- > Linkedin - http://www.linkedin.com/in/abhaybhargav > > URL: http://www.abhaybhargav.com > > Twitter: @abhaybhargav > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Abhay B. <abh...@gm...> - 2016-08-17 12:42:45
|
In the UI when I use the burp input it asks me to enter the csv input as well. I don't have a csv file, how do I get past that? On Wednesday, 17 August 2016, Andres Riancho <and...@gm...> wrote: > import_results is often used with [0], there you can find a > clarification on how data is expected. > > You can enter b64 and/or burp files as input > > [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/ > export_requests.py#L98-L113 > > On Wed, Aug 17, 2016 at 8:07 AM, Abhay Bhargav <abh...@gm... > <javascript:;>> wrote: > > I am a little confused with the import_results plugin. When I see the > source > > code, it seems to extract from a Base64 or Burp file, but in the UI, it > > appears to take in a csv and/or a Burp File. So which one is to be given? > > Also, what is the format of the csv or Base64? > > > > Also - Does it need both types of files (CSV/Base64 and Burp) or only one > > type of file? > > > > ------------------------------------------------------------ > ------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... <javascript:;> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- Linkedin - http://www.linkedin.com/in/abhaybhargav URL: http://www.abhaybhargav.com Twitter: @abhaybhargav |
From: Andres R. <and...@gm...> - 2016-08-17 12:39:49
|
import_results is often used with [0], there you can find a clarification on how data is expected. You can enter b64 and/or burp files as input [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/export_requests.py#L98-L113 On Wed, Aug 17, 2016 at 8:07 AM, Abhay Bhargav <abh...@gm...> wrote: > I am a little confused with the import_results plugin. When I see the source > code, it seems to extract from a Base64 or Burp file, but in the UI, it > appears to take in a csv and/or a Burp File. So which one is to be given? > Also, what is the format of the csv or Base64? > > Also - Does it need both types of files (CSV/Base64 and Burp) or only one > type of file? > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Abhay B. <abh...@gm...> - 2016-08-17 11:07:28
|
I am a little confused with the import_results plugin. When I see the source code, it seems to extract from a Base64 or Burp file, but in the UI, it appears to take in a csv and/or a Burp File. So which one is to be given? Also, what is the format of the csv or Base64? Also - Does it need both types of files (CSV/Base64 and Burp) or only one type of file? |
From: Andres R. <and...@gm...> - 2016-05-27 17:34:09
|
I don't see the difference, just put one HTTP request in the file, scan, repeat. On Fri, May 27, 2016 at 2:13 PM, Abhay Bhargav <abh...@gm...> wrote: > > Hi Andres: > > Thanks for your response. I will look into this. > > However, my requirement is a little different. The requests and responses is > queued. I want to send HTTP request one at a time and have that scanned, as > it enters the queue. Your solution seems to be to scan a bunch of requests > loaded in a file. Correct me if I am wrong please. > > On Fri, May 27, 2016 at 9:02 PM, Andres Riancho <and...@gm...> > wrote: >> >> Yup, completely possible. Most likely following these steps: >> >> * Start the API >> * Write a file containing the HTTP request (base64 encoded) >> * Write a file containing a scan profile. The scan profile should use >> the import_results plugin [0] and point to the previously created file >> with the HTTP request >> * Start the scan with the provided scan profile >> >> [0] >> https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/import_results.py#L172-L182 >> >> On Wed, May 25, 2016 at 8:45 AM, Abhay Bhargav <abh...@gm...> >> wrote: >> > Hi Group: >> > >> > I was wondering if we could do single URL scans with w3af api. What I >> > mean >> > is this: I have a DB of HTTP requests of an application that need to be >> > scanned. These are part of the same application. I would like to scan >> > them >> > one at a time in a queue with w3af's API. Is that possible? Or does it >> > only >> > have to be a typical w3af scan? >> > >> > >> > ------------------------------------------------------------------------------ >> > Mobile security can be enabling, not merely restricting. Employees who >> > bring their own devices (BYOD) to work are irked by the imposition of >> > MDM >> > restrictions. Mobile Device Manager Plus allows you to control only the >> > apps on BYO-devices by containerizing them, leaving personal data >> > untouched! >> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j >> > _______________________________________________ >> > W3af-develop mailing list >> > W3a...@li... >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Abhay B. <abh...@gm...> - 2016-05-27 17:13:45
|
Hi Andres: Thanks for your response. I will look into this. However, my requirement is a little different. The requests and responses is queued. I want to send HTTP request one at a time and have that scanned, as it enters the queue. Your solution seems to be to scan a bunch of requests loaded in a file. Correct me if I am wrong please. On Fri, May 27, 2016 at 9:02 PM, Andres Riancho <and...@gm...> wrote: > Yup, completely possible. Most likely following these steps: > > * Start the API > * Write a file containing the HTTP request (base64 encoded) > * Write a file containing a scan profile. The scan profile should use > the import_results plugin [0] and point to the previously created file > with the HTTP request > * Start the scan with the provided scan profile > > [0] > https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/import_results.py#L172-L182 > > On Wed, May 25, 2016 at 8:45 AM, Abhay Bhargav <abh...@gm...> > wrote: > > Hi Group: > > > > I was wondering if we could do single URL scans with w3af api. What I > mean > > is this: I have a DB of HTTP requests of an application that need to be > > scanned. These are part of the same application. I would like to scan > them > > one at a time in a queue with w3af's API. Is that possible? Or does it > only > > have to be a typical w3af scan? > > > > > ------------------------------------------------------------------------------ > > Mobile security can be enabling, not merely restricting. Employees who > > bring their own devices (BYOD) to work are irked by the imposition of MDM > > restrictions. Mobile Device Manager Plus allows you to control only the > > apps on BYO-devices by containerizing them, leaving personal data > untouched! > > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2016-05-27 15:32:43
|
Yup, completely possible. Most likely following these steps: * Start the API * Write a file containing the HTTP request (base64 encoded) * Write a file containing a scan profile. The scan profile should use the import_results plugin [0] and point to the previously created file with the HTTP request * Start the scan with the provided scan profile [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/import_results.py#L172-L182 On Wed, May 25, 2016 at 8:45 AM, Abhay Bhargav <abh...@gm...> wrote: > Hi Group: > > I was wondering if we could do single URL scans with w3af api. What I mean > is this: I have a DB of HTTP requests of an application that need to be > scanned. These are part of the same application. I would like to scan them > one at a time in a queue with w3af's API. Is that possible? Or does it only > have to be a typical w3af scan? > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Abhay B. <abh...@gm...> - 2016-05-25 11:45:51
|
Hi Group: I was wondering if we could do single URL scans with w3af api. What I mean is this: I have a DB of HTTP requests of an application that need to be scanned. These are part of the same application. I would like to scan them one at a time in a queue with w3af's API. Is that possible? Or does it only have to be a typical w3af scan? |
From: M. A. <ali...@ya...> - 2016-01-21 15:32:10
|
Hi guys,I am working on w3af to add new feature to it. I install pycharm on ubuntu. I can create project in execute python code. But what i dont know is that, how i can import w3af project in pycharm and debug code.Second Question: What is your feedback if i start development of w3af on windows system along with elipse IDE? In fact, i am more comfortable with eclipse on windows developing php webshell.Third Question: I would request, someone give me demo of development environment of w3af. How import w3af project in IDE and debug. I would be very much thankful to you. My skype id is: sahi_sahi_ Thanks |
From: Andres R. <and...@gm...> - 2015-12-15 17:26:13
|
Yes, just configure the credentials in the profile and use that profile for the scan On Tue, Dec 15, 2015 at 2:21 PM, Abhay Bhargav <abh...@gm...> wrote: > Is it possible to do an authenticated scan with w3af's API? Can anyone point > me to some resources for this? > > Regards > Abhay > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Abhay B. <abh...@gm...> - 2015-12-15 17:21:50
|
Is it possible to do an authenticated scan with w3af's API? Can anyone point me to some resources for this? Regards Abhay |
From: Andres R. <and...@gm...> - 2015-12-08 13:28:58
|
I would say: "It's impossible to do in less than 5 days of work of an experienced w3af developer". On Tue, Dec 8, 2015 at 10:26 AM, Manish Dangol <dan...@gm...> wrote: > yes I know so, I am seeking help from the members to how to grab just two > scripts from OWASP top10 they are > 1. broken authentication and > 2. path traversal > > On 8 December 2015 at 19:06, Andres Riancho <and...@gm...> > wrote: >> >> w3af plugins are here [0], but I believe you won't be able to run them >> without the rest of w3af. The plugins depend on the features provided >> by the core [1] and any attempt to run the plugins without it will >> fail. >> >> Of course it is possible for you to copy the plugins and modify them >> to remove all core dependencies, but that will take you a lot of time. >> >> [0] https://github.com/andresriancho/w3af/tree/master/w3af/plugins >> [1] https://github.com/andresriancho/w3af/tree/master/w3af/core >> >> On Tue, Dec 8, 2015 at 10:04 AM, Manish Dangol <dan...@gm...> >> wrote: >> > I just want to extract them from w3af and use in my project for >> > education >> > purpose. >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Yours Sincerely > Manish Dangol > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Manish D. <dan...@gm...> - 2015-12-08 13:26:06
|
yes I know so, I am seeking help from the members to how to grab just two scripts from OWASP top10 they are 1. broken authentication and 2. path traversal On 8 December 2015 at 19:06, Andres Riancho <and...@gm...> wrote: > w3af plugins are here [0], but I believe you won't be able to run them > without the rest of w3af. The plugins depend on the features provided > by the core [1] and any attempt to run the plugins without it will > fail. > > Of course it is possible for you to copy the plugins and modify them > to remove all core dependencies, but that will take you a lot of time. > > [0] https://github.com/andresriancho/w3af/tree/master/w3af/plugins > [1] https://github.com/andresriancho/w3af/tree/master/w3af/core > > On Tue, Dec 8, 2015 at 10:04 AM, Manish Dangol <dan...@gm...> > wrote: > > I just want to extract them from w3af and use in my project for education > > purpose. > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- *Yours SincerelyManish Dangol* |
From: Andres R. <and...@gm...> - 2015-12-08 13:21:43
|
w3af plugins are here [0], but I believe you won't be able to run them without the rest of w3af. The plugins depend on the features provided by the core [1] and any attempt to run the plugins without it will fail. Of course it is possible for you to copy the plugins and modify them to remove all core dependencies, but that will take you a lot of time. [0] https://github.com/andresriancho/w3af/tree/master/w3af/plugins [1] https://github.com/andresriancho/w3af/tree/master/w3af/core On Tue, Dec 8, 2015 at 10:04 AM, Manish Dangol <dan...@gm...> wrote: > I just want to extract them from w3af and use in my project for education > purpose. -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Manish D. <dan...@gm...> - 2015-12-08 13:04:11
|
*I just want to extract them from w3af and use in my project for education purpose. * |
From: Andres R. <and...@gm...> - 2015-12-08 12:59:41
|
You want to run them, or extract them from w3af and use them in your project? On Tue, Dec 8, 2015 at 9:57 AM, Manish Dangol <dan...@gm...> wrote: > I just want, two script from owasp top 10 i.e. Broken authentication and > path traversal how can I ignore other script and just get those script from > w3af whole file. > > On 8 December 2015 at 18:40, Andres Riancho <and...@gm...> > wrote: >> >> Manish, >> >> Your question is too generic. Please explain in more detail so we can >> help. >> http://www.catb.org/esr/faqs/smart-questions.html >> >> On Tue, Dec 8, 2015 at 9:49 AM, Manish Dangol <dan...@gm...> >> wrote: >> > >> > >> > hello team, >> > I am one of the network and IT security student doing my final year. I >> > want >> > to ask about w3af script, as w3af is ownself a security auditing tool I >> > am >> > developing a scanner for my FYP (final year project). I pulled some >> > module >> > from git for my project but unable to use it so will you please tell me >> > how >> > I can use some module. >> > I want two module they are broken authentication & path travesal. >> > Hope you all will help me for this. >> > >> > >> > -- >> > Yours Sincerely >> > Manish Dangol >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > Go from Idea to Many App Stores Faster with Intel(R) XDK >> > Give your users amazing mobile app experiences with Intel(R) XDK. >> > Use one codebase in this all-in-one HTML5 development environment. >> > Design, debug & build mobile apps & 2D/3D high-impact games for multiple >> > OSs. >> > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> > _______________________________________________ >> > W3af-develop mailing list >> > W3a...@li... >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Yours Sincerely > Manish Dangol > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Manish D. <dan...@gm...> - 2015-12-08 12:57:36
|
I just want, two script from owasp top 10 i.e. Broken authentication and path traversal how can I ignore other script and just get those script from w3af whole file. On 8 December 2015 at 18:40, Andres Riancho <and...@gm...> wrote: > Manish, > > Your question is too generic. Please explain in more detail so we can > help. > http://www.catb.org/esr/faqs/smart-questions.html > > On Tue, Dec 8, 2015 at 9:49 AM, Manish Dangol <dan...@gm...> > wrote: > > > > > > hello team, > > I am one of the network and IT security student doing my final year. I > want > > to ask about w3af script, as w3af is ownself a security auditing tool I > am > > developing a scanner for my FYP (final year project). I pulled some > module > > from git for my project but unable to use it so will you please tell me > how > > I can use some module. > > I want two module they are broken authentication & path travesal. > > Hope you all will help me for this. > > > > > > -- > > Yours Sincerely > > Manish Dangol > > > > > > > > > ------------------------------------------------------------------------------ > > Go from Idea to Many App Stores Faster with Intel(R) XDK > > Give your users amazing mobile app experiences with Intel(R) XDK. > > Use one codebase in this all-in-one HTML5 development environment. > > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > > OSs. > > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- *Yours SincerelyManish Dangol* |
From: Andres R. <and...@gm...> - 2015-12-08 12:55:44
|
Manish, Your question is too generic. Please explain in more detail so we can help. http://www.catb.org/esr/faqs/smart-questions.html On Tue, Dec 8, 2015 at 9:49 AM, Manish Dangol <dan...@gm...> wrote: > > > hello team, > I am one of the network and IT security student doing my final year. I want > to ask about w3af script, as w3af is ownself a security auditing tool I am > developing a scanner for my FYP (final year project). I pulled some module > from git for my project but unable to use it so will you please tell me how > I can use some module. > I want two module they are broken authentication & path travesal. > Hope you all will help me for this. > > > -- > Yours Sincerely > Manish Dangol > > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Manish D. <dan...@gm...> - 2015-12-08 12:50:00
|
hello team, I am one of the network and IT security student doing my final year. I want to ask about w3af script, as w3af is ownself a security auditing tool I am developing a scanner for my FYP (final year project). I pulled some module from git for my project but unable to use it so will you please tell me how I can use some module. I want two module they are broken authentication & path travesal. Hope you all will help me for this. -- *Yours SincerelyManish Dangol* |
From: Narendra V. <nar...@gm...> - 2015-11-04 02:25:20
|
Hi Andres I'll report the bug with detailed steps to reproduce at the given link. Thanks ! Regards Narendra On Tue, Nov 3, 2015 at 8:49 PM, Andres Riancho <and...@gm...> wrote: > Narendra, > > Do you have a way for me to reproduce this issue? This is > something I would like to fix. Please follow [0] to report bugs. > > [0] http://docs.w3af.org/en/latest/report-a-bug.html > > On Sat, Oct 24, 2015 at 12:39 AM, Narendra Vadde <nar...@gm...> wrote: >> Hi Team >> Recently my scan failed with the below unhandled exception. Any >> thoughts on this. >> >> An unhandled exception occurred while running hmap: "" >> Found 1 URLs and 1 different injections points. >> The URL list is: >> - http://127.0.0.1:8080/ >> The list of fuzzable requests is: >> - Method: GET | http://127.0.0.1:8080/ >> Exception in thread AuditorController: >> Traceback (most recent call last): >> File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner >> self.run() >> File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py", >> line 114, in run >> self._teardown() >> File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/audit.py", >> line 53, in _teardown >> 'plugin.end()', e) >> File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py", >> line 267, in handle_exception >> enabled_plugins = pprint_plugins(self._w3af_core) >> File "/usr/share/w3af/w3af/core/controllers/exception_handling/helpers.py", >> line 37, in pprint_plugins >> plugs_opts = copy.deepcopy(w3af_core.plugins.get_all_plugin_options()) >> File "/usr/lib/python2.7/copy.py", line 163, in deepcopy >> y = copier(x, memo) >> File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict >> y[deepcopy(key, memo)] = deepcopy(value, memo) >> File "/usr/lib/python2.7/copy.py", line 163, in deepcopy >> y = copier(x, memo) >> File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict >> y[deepcopy(key, memo)] = deepcopy(value, memo) >> File "/usr/lib/python2.7/copy.py", line 190, in deepcopy >> y = _reconstruct(x, rv, 1, memo) >> File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct >> state = deepcopy(state, memo) >> File "/usr/lib/python2.7/copy.py", line 163, in deepcopy >> y = copier(x, memo) >> File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict >> y[deepcopy(key, memo)] = deepcopy(value, memo) >> File "/usr/lib/python2.7/copy.py", line 163, in deepcopy >> y = copier(x, memo) >> File "/usr/lib/python2.7/copy.py", line 230, in _deepcopy_list >> y.append(deepcopy(a, memo)) >> File "/usr/lib/python2.7/copy.py", line 190, in deepcopy >> y = _reconstruct(x, rv, 1, memo) >> File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct >> state = deepcopy(state, memo) >> File "/usr/lib/python2.7/copy.py", line 163, in deepcopy >> y = copier(x, memo) >> File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict >> y[deepcopy(key, memo)] = deepcopy(value, memo) >> File "/usr/lib/python2.7/copy.py", line 174, in deepcopy >> y = copier(memo) >> TypeError: gobject.GObject descendants' instances are non-copyable >> >> Regards >> Narendra >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
From: Narendra V. <nar...@gm...> - 2015-11-04 02:22:22
|
Hi Andres Thanks for the reply. Please ignore my mail. It was an issue with proxychains. Crawl plugin works fine. Regards Narendra On Tue, Nov 3, 2015 at 8:48 PM, Andres Riancho <and...@gm...> wrote: > Narendra, > > Sorry for the late response. Your question is too generic, please > follow [0] if you believe it's a bug, or almost the same guide if > something doesn't work like you expect it to. > > [0] http://docs.w3af.org/en/latest/report-a-bug.html > > On Sat, Oct 24, 2015 at 12:38 AM, Narendra Vadde <nar...@gm...> wrote: >> Hi Everyone >> Recently i was trying to use the web_spider from crawl plugin, but >> it doesn't list all the URLs. I also tried using google_spider, >> sitemap_xml modules, but none of them worked. >> The output lists only 1 URL which is my target URL. >> >> w3af>>> version >> w3af - Web Application Attack and Audit Framework >> Version: 1.6.46 >> Distribution: Kali Linux >> Author: Andres Riancho and the w3af team. >> w3af>>> >> >> Is there something i am missing. Can someone please help. >> >> Regards >> Narendra >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2015-11-03 15:20:07
|
Narendra, Do you have a way for me to reproduce this issue? This is something I would like to fix. Please follow [0] to report bugs. [0] http://docs.w3af.org/en/latest/report-a-bug.html On Sat, Oct 24, 2015 at 12:39 AM, Narendra Vadde <nar...@gm...> wrote: > Hi Team > Recently my scan failed with the below unhandled exception. Any > thoughts on this. > > An unhandled exception occurred while running hmap: "" > Found 1 URLs and 1 different injections points. > The URL list is: > - http://127.0.0.1:8080/ > The list of fuzzable requests is: > - Method: GET | http://127.0.0.1:8080/ > Exception in thread AuditorController: > Traceback (most recent call last): > File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner > self.run() > File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py", > line 114, in run > self._teardown() > File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/audit.py", > line 53, in _teardown > 'plugin.end()', e) > File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py", > line 267, in handle_exception > enabled_plugins = pprint_plugins(self._w3af_core) > File "/usr/share/w3af/w3af/core/controllers/exception_handling/helpers.py", > line 37, in pprint_plugins > plugs_opts = copy.deepcopy(w3af_core.plugins.get_all_plugin_options()) > File "/usr/lib/python2.7/copy.py", line 163, in deepcopy > y = copier(x, memo) > File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict > y[deepcopy(key, memo)] = deepcopy(value, memo) > File "/usr/lib/python2.7/copy.py", line 163, in deepcopy > y = copier(x, memo) > File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict > y[deepcopy(key, memo)] = deepcopy(value, memo) > File "/usr/lib/python2.7/copy.py", line 190, in deepcopy > y = _reconstruct(x, rv, 1, memo) > File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct > state = deepcopy(state, memo) > File "/usr/lib/python2.7/copy.py", line 163, in deepcopy > y = copier(x, memo) > File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict > y[deepcopy(key, memo)] = deepcopy(value, memo) > File "/usr/lib/python2.7/copy.py", line 163, in deepcopy > y = copier(x, memo) > File "/usr/lib/python2.7/copy.py", line 230, in _deepcopy_list > y.append(deepcopy(a, memo)) > File "/usr/lib/python2.7/copy.py", line 190, in deepcopy > y = _reconstruct(x, rv, 1, memo) > File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct > state = deepcopy(state, memo) > File "/usr/lib/python2.7/copy.py", line 163, in deepcopy > y = copier(x, memo) > File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict > y[deepcopy(key, memo)] = deepcopy(value, memo) > File "/usr/lib/python2.7/copy.py", line 174, in deepcopy > y = copier(memo) > TypeError: gobject.GObject descendants' instances are non-copyable > > Regards > Narendra > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2015-11-03 15:18:42
|
Narendra, Sorry for the late response. Your question is too generic, please follow [0] if you believe it's a bug, or almost the same guide if something doesn't work like you expect it to. [0] http://docs.w3af.org/en/latest/report-a-bug.html On Sat, Oct 24, 2015 at 12:38 AM, Narendra Vadde <nar...@gm...> wrote: > Hi Everyone > Recently i was trying to use the web_spider from crawl plugin, but > it doesn't list all the URLs. I also tried using google_spider, > sitemap_xml modules, but none of them worked. > The output lists only 1 URL which is my target URL. > > w3af>>> version > w3af - Web Application Attack and Audit Framework > Version: 1.6.46 > Distribution: Kali Linux > Author: Andres Riancho and the w3af team. > w3af>>> > > Is there something i am missing. Can someone please help. > > Regards > Narendra > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |