w3af-develop Mailing List for w3af (Page 2)
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
w3af-develop — dev list for w3af
You can subscribe to this list here.
| 2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
| 2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
| 2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
| 2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
| 2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
| 2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
| 2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Narendra V. <nar...@gm...> - 2015-10-24 03:39:28
|
Hi Team
Recently my scan failed with the below unhandled exception. Any
thoughts on this.
An unhandled exception occurred while running hmap: ""
Found 1 URLs and 1 different injections points.
The URL list is:
- http://127.0.0.1:8080/
The list of fuzzable requests is:
- Method: GET | http://127.0.0.1:8080/
Exception in thread AuditorController:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner
self.run()
File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py",
line 114, in run
self._teardown()
File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/audit.py",
line 53, in _teardown
'plugin.end()', e)
File "/usr/share/w3af/w3af/core/controllers/core_helpers/consumers/base_consumer.py",
line 267, in handle_exception
enabled_plugins = pprint_plugins(self._w3af_core)
File "/usr/share/w3af/w3af/core/controllers/exception_handling/helpers.py",
line 37, in pprint_plugins
plugs_opts = copy.deepcopy(w3af_core.plugins.get_all_plugin_options())
File "/usr/lib/python2.7/copy.py", line 163, in deepcopy
y = copier(x, memo)
File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python2.7/copy.py", line 163, in deepcopy
y = copier(x, memo)
File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python2.7/copy.py", line 190, in deepcopy
y = _reconstruct(x, rv, 1, memo)
File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python2.7/copy.py", line 163, in deepcopy
y = copier(x, memo)
File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python2.7/copy.py", line 163, in deepcopy
y = copier(x, memo)
File "/usr/lib/python2.7/copy.py", line 230, in _deepcopy_list
y.append(deepcopy(a, memo))
File "/usr/lib/python2.7/copy.py", line 190, in deepcopy
y = _reconstruct(x, rv, 1, memo)
File "/usr/lib/python2.7/copy.py", line 334, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python2.7/copy.py", line 163, in deepcopy
y = copier(x, memo)
File "/usr/lib/python2.7/copy.py", line 257, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python2.7/copy.py", line 174, in deepcopy
y = copier(memo)
TypeError: gobject.GObject descendants' instances are non-copyable
Regards
Narendra
|
|
From: Narendra V. <nar...@gm...> - 2015-10-24 03:39:00
|
Hi Everyone Recently i was trying to use the web_spider from crawl plugin, but it doesn't list all the URLs. I also tried using google_spider, sitemap_xml modules, but none of them worked. The output lists only 1 URL which is my target URL. w3af>>> version w3af - Web Application Attack and Audit Framework Version: 1.6.46 Distribution: Kali Linux Author: Andres Riancho and the w3af team. w3af>>> Is there something i am missing. Can someone please help. Regards Narendra |
|
From: 天. <che...@qq...> - 2015-10-15 06:28:17
|
ssssss |
|
From: Taras <ox...@ox...> - 2015-09-23 12:59:26
|
Hi! Thanks for help! Solved by installing libxslt-devel and libxml2-devel packages! :) В Пн, 21/09/2015 в 17:18 +0100, Owen Tuz пишет: > Hi Taras, > > Sorry for the slow reply. I'm a bit lost, to be honest, not having > built this on Fedora myself lately. > > One last thing to try, however: it looks like Fedora has both a > libxml-devel and a libxml2-devel package. Could you try installing > libxml2-devel as well, since I see you have the main package but not > the headers? Probably no need for the STATIC_DEPS environment > variable. > > Thanks, > > Owen > > > > On Fri, Sep 18, 2015 at 4:34 PM, Taras <ox...@ox...> wrote: > > Hi, Owen! > > > > Sorry for delay. > > > > В Ср, 16/09/2015 в 11:34 +0100, Owen Tuz пишет: > > > Hi Taras, > > > > > > Sorry - I mistook it for 'yum' output. Not awake. > > > Any change if you try: > > > > > > export STATIC_DEPS=true > > > > > > ...before running? As per: > > > https://stackoverflow.com/questions/27084580/python-error-when-in > > stal > > > ling-packages > > See such output > > ... > > File "setupinfo.py", line 57, in ext_modules > > > > multicore=OPTION_MULTICORE) > > > > File "buildlibxml.py", line 348, in build_libxml2xslt > > > > cmmi(configure_cmd, libiconv_dir, multicore, **call_setup) > > > > File "buildlibxml.py", line 285, in cmmi > > > > cwd=build_dir, **call_setup) > > > > File "buildlibxml.py", line 268, in call_subprocess > > > > raise Exception('Command "%s" returned code %s' % > > (cmd_desc, > > returncode)) > > > > Exception: Command "make -j5" returned code 512 > > > > ---------------------------------------- > > Command "python setup.py egg_info" failed with error code 1 in > > /tmp/pip-build-1f1Sw1/lxml > > > > > > > > > > If you could attach the dependency install script, that would > > also be > > > helpful. > > $ cat /tmp/w3af_dependency_install.sh > > #!/bin/bash > > > > # Run without sudo to install inside venv > > python-pip install pyClamd==0.3.15 PyGithub==1.21.0 > > GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.14 esmre==0.3.1 > > phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 > > pdfminer==20140328 > > futures==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 > > pyasn1==0.1.8 > > lxml==3.4.4 > > > > > > > > Thanks, > > > > > > Owen > > |
|
From: Owen T. <ow...@gm...> - 2015-09-21 16:19:05
|
Hi Taras, Sorry for the slow reply. I'm a bit lost, to be honest, not having built this on Fedora myself lately. One last thing to try, however: it looks like Fedora has both a libxml-devel and a libxml2-devel package. Could you try installing libxml2-devel as well, since I see you have the main package but not the headers? Probably no need for the STATIC_DEPS environment variable. Thanks, Owen On Fri, Sep 18, 2015 at 4:34 PM, Taras <ox...@ox...> wrote: > Hi, Owen! > > Sorry for delay. > > В Ср, 16/09/2015 в 11:34 +0100, Owen Tuz пишет: > > Hi Taras, > > > > Sorry - I mistook it for 'yum' output. Not awake. > > Any change if you try: > > > > export STATIC_DEPS=true > > > > ...before running? As per: > > https://stackoverflow.com/questions/27084580/python-error-when-instal > > ling-packages > See such output > ... > File "setupinfo.py", line 57, in ext_modules > > multicore=OPTION_MULTICORE) > > File "buildlibxml.py", line 348, in build_libxml2xslt > > cmmi(configure_cmd, libiconv_dir, multicore, **call_setup) > > File "buildlibxml.py", line 285, in cmmi > > cwd=build_dir, **call_setup) > > File "buildlibxml.py", line 268, in call_subprocess > > raise Exception('Command "%s" returned code %s' % (cmd_desc, > returncode)) > > Exception: Command "make -j5" returned code 512 > > ---------------------------------------- > Command "python setup.py egg_info" failed with error code 1 in > /tmp/pip-build-1f1Sw1/lxml > > > > > > If you could attach the dependency install script, that would also be > > helpful. > $ cat /tmp/w3af_dependency_install.sh > #!/bin/bash > > # Run without sudo to install inside venv > python-pip install pyClamd==0.3.15 PyGithub==1.21.0 > GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.14 esmre==0.3.1 > phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 > futures==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.8 > lxml==3.4.4 > > > > > Thanks, > > > > Owen > |
|
From: Taras <ox...@ox...> - 2015-09-18 15:34:50
|
Hi, Owen! Sorry for delay. В Ср, 16/09/2015 в 11:34 +0100, Owen Tuz пишет: > Hi Taras, > > Sorry - I mistook it for 'yum' output. Not awake. > Any change if you try: > > export STATIC_DEPS=true > > ...before running? As per: > https://stackoverflow.com/questions/27084580/python-error-when-instal > ling-packages See such output ... File "setupinfo.py", line 57, in ext_modules multicore=OPTION_MULTICORE) File "buildlibxml.py", line 348, in build_libxml2xslt cmmi(configure_cmd, libiconv_dir, multicore, **call_setup) File "buildlibxml.py", line 285, in cmmi cwd=build_dir, **call_setup) File "buildlibxml.py", line 268, in call_subprocess raise Exception('Command "%s" returned code %s' % (cmd_desc, returncode)) Exception: Command "make -j5" returned code 512 ---------------------------------------- Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-1f1Sw1/lxml > > If you could attach the dependency install script, that would also be > helpful. $ cat /tmp/w3af_dependency_install.sh #!/bin/bash # Run without sudo to install inside venv python-pip install pyClamd==0.3.15 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.14 esmre==0.3.1 phply==0.9.1 nltk==3.0.1 chardet==2.1.1 tblib==0.2.0 pdfminer==20140328 futures==2.1.5 pyOpenSSL==0.15.1 ndg-httpsclient==0.3.3 pyasn1==0.1.8 lxml==3.4.4 > > Thanks, > > Owen |
|
From: Taras <ox...@ox...> - 2015-09-16 10:44:38
|
Owen, libxml-devel is already installed. Please, see rpm output below. В Ср, 16/09/2015 в 10:26 +0100, Owen Tuz пишет: > Try installing libxml-devel and re-run? Looks like pip is trying to > build but needs the header files, which are usually in the -devel > package. > Cheers, > Owen > On 16 Sep 2015 10:05 am, "Taras" <ox...@ox...> wrote: > > Hello! > > > > Trying to run it on Fedora 22 inside virtualenv and while > > installing > > all deps see such error: > > > > /tmp/pip-build-mBBs62/lxml/src/lxml/includes/etree_defs.h:14:31: > > fatal error: libxml/xmlversion.h: No such file or directory > > > > compilation terminated. > > > > error: command 'gcc' failed with exit status 1 > > > > $ rpm -q -a libxml* > > libxml-devel-1.8.17-34.fc22.x86_64 > > libxml-1.8.17-34.fc22.x86_64 > > libxml2-2.9.2-3.fc22.x86_64 > > libxml2-python-2.9.2-3.fc22.x86_64 > > libxml2-2.9.2-3.fc22.i686 > > libxml++-2.38.0-1.fc22.x86_64 > > > > Any ideas? > > > > В Чт, 10/09/2015 в 22:52 +0300, Taras пишет: > > > Andres, great job! :-) I will try to test it. > > > > > > В Чт, 10/09/2015 в 12:16 -0300, Andres Riancho пишет: > > > > List, > > > > > > > > I'm glad to announce that w3af can now detect 100% of the > > XSS > > > > vulnerabilities in WAVSEP! > > > > > > > > As part of the "Improve w3af's score for WAVSEP XSS by at > > least > > > > 20%" [0] task, I completely rewrote (twice) the context > > detection > > > > engine originally developed by Taras. The new engine has the > > > > following > > > > improvements: > > > > > > > > * Code is easier to read > > > > * Context detection false positive is reduced (But can > > still be > > > > improved by migrating from HTMLParser to lxml) > > > > * Added JavaScript sub-parser > > > > * Added CSS sub-parser > > > > > > > > I've also added new payloads to the XSS plugin which were > > > > required > > > > to "break out" of the new contexts we're identifying. > > > > > > > > These changes are part of the "develop" branch, just switch > > to > > > > the > > > > branch using "git checkout develop" and enjoy the new features > > (bug > > > > reports are always welcome!). > > > > > > > > For those who love to read code, you'll find most of the > > > > changes here [1] > > > > > > > > Enjoy! > > > > > > > > [0] https://github.com/andresriancho/w3af/issues/37 > > > > [1] > > https://github.com/andresriancho/w3af/tree/develop/w3af/core/da > > > > ta/context > > > > > > > > Regards, > > > ----------------------------------------------------------------- > > ---- > > > --------- > > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > > Get real-time metrics from all of your servers, apps and tools > > > in one place. > > > SourceForge users - Click here to start your Free Trial of > > Datadog > > > now! > > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > > _______________________________________________ > > > W3af-develop mailing list > > > W3a...@li... > > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > ------------------------------------------------------------------- > > ----------- > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog > > now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > |
|
From: Owen T. <ow...@gm...> - 2015-09-16 10:34:39
|
Hi Taras, Sorry - I mistook it for 'yum' output. Not awake. Any change if you try: export STATIC_DEPS=true ...before running? As per: https://stackoverflow.com/questions/27084580/python-error-when-installing-packages If you could attach the dependency install script, that would also be helpful. Thanks, Owen |
|
From: Owen T. <ow...@gm...> - 2015-09-16 09:26:27
|
Try installing libxml-devel and re-run? Looks like pip is trying to build but needs the header files, which are usually in the -devel package. Cheers, Owen On 16 Sep 2015 10:05 am, "Taras" <ox...@ox...> wrote: > Hello! > > Trying to run it on Fedora 22 inside virtualenv and while installing > all deps see such error: > > /tmp/pip-build-mBBs62/lxml/src/lxml/includes/etree_defs.h:14:31: > fatal error: libxml/xmlversion.h: No such file or directory > > compilation terminated. > > error: command 'gcc' failed with exit status 1 > > $ rpm -q -a libxml* > libxml-devel-1.8.17-34.fc22.x86_64 > libxml-1.8.17-34.fc22.x86_64 > libxml2-2.9.2-3.fc22.x86_64 > libxml2-python-2.9.2-3.fc22.x86_64 > libxml2-2.9.2-3.fc22.i686 > libxml++-2.38.0-1.fc22.x86_64 > > Any ideas? > > В Чт, 10/09/2015 в 22:52 +0300, Taras пишет: > > Andres, great job! :-) I will try to test it. > > > > В Чт, 10/09/2015 в 12:16 -0300, Andres Riancho пишет: > > > List, > > > > > > I'm glad to announce that w3af can now detect 100% of the XSS > > > vulnerabilities in WAVSEP! > > > > > > As part of the "Improve w3af's score for WAVSEP XSS by at least > > > 20%" [0] task, I completely rewrote (twice) the context detection > > > engine originally developed by Taras. The new engine has the > > > following > > > improvements: > > > > > > * Code is easier to read > > > * Context detection false positive is reduced (But can still be > > > improved by migrating from HTMLParser to lxml) > > > * Added JavaScript sub-parser > > > * Added CSS sub-parser > > > > > > I've also added new payloads to the XSS plugin which were > > > required > > > to "break out" of the new contexts we're identifying. > > > > > > These changes are part of the "develop" branch, just switch to > > > the > > > branch using "git checkout develop" and enjoy the new features (bug > > > reports are always welcome!). > > > > > > For those who love to read code, you'll find most of the > > > changes here [1] > > > > > > Enjoy! > > > > > > [0] https://github.com/andresriancho/w3af/issues/37 > > > [1] https://github.com/andresriancho/w3af/tree/develop/w3af/core/da > > > ta/context > > > > > > Regards, > > --------------------------------------------------------------------- > > --------- > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog > > now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > |
|
From: Taras <ox...@ox...> - 2015-09-16 09:04:49
|
Hello!
Trying to run it on Fedora 22 inside virtualenv and while installing
all deps see such error:
/tmp/pip-build-mBBs62/lxml/src/lxml/includes/etree_defs.h:14:31:
fatal error: libxml/xmlversion.h: No such file or directory
compilation terminated.
error: command 'gcc' failed with exit status 1
$ rpm -q -a libxml*
libxml-devel-1.8.17-34.fc22.x86_64
libxml-1.8.17-34.fc22.x86_64
libxml2-2.9.2-3.fc22.x86_64
libxml2-python-2.9.2-3.fc22.x86_64
libxml2-2.9.2-3.fc22.i686
libxml++-2.38.0-1.fc22.x86_64
Any ideas?
В Чт, 10/09/2015 в 22:52 +0300, Taras пишет:
> Andres, great job! :-) I will try to test it.
>
> В Чт, 10/09/2015 в 12:16 -0300, Andres Riancho пишет:
> > List,
> >
> > I'm glad to announce that w3af can now detect 100% of the XSS
> > vulnerabilities in WAVSEP!
> >
> > As part of the "Improve w3af's score for WAVSEP XSS by at least
> > 20%" [0] task, I completely rewrote (twice) the context detection
> > engine originally developed by Taras. The new engine has the
> > following
> > improvements:
> >
> > * Code is easier to read
> > * Context detection false positive is reduced (But can still be
> > improved by migrating from HTMLParser to lxml)
> > * Added JavaScript sub-parser
> > * Added CSS sub-parser
> >
> > I've also added new payloads to the XSS plugin which were
> > required
> > to "break out" of the new contexts we're identifying.
> >
> > These changes are part of the "develop" branch, just switch to
> > the
> > branch using "git checkout develop" and enjoy the new features (bug
> > reports are always welcome!).
> >
> > For those who love to read code, you'll find most of the
> > changes here [1]
> >
> > Enjoy!
> >
> > [0] https://github.com/andresriancho/w3af/issues/37
> > [1] https://github.com/andresriancho/w3af/tree/develop/w3af/core/da
> > ta/context
> >
> > Regards,
> ---------------------------------------------------------------------
> ---------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog
> now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
|
|
From: Taras <ox...@ox...> - 2015-09-10 20:09:35
|
Andres, great job! :-) I will try to test it. В Чт, 10/09/2015 в 12:16 -0300, Andres Riancho пишет: > List, > > I'm glad to announce that w3af can now detect 100% of the XSS > vulnerabilities in WAVSEP! > > As part of the "Improve w3af's score for WAVSEP XSS by at least > 20%" [0] task, I completely rewrote (twice) the context detection > engine originally developed by Taras. The new engine has the > following > improvements: > > * Code is easier to read > * Context detection false positive is reduced (But can still be > improved by migrating from HTMLParser to lxml) > * Added JavaScript sub-parser > * Added CSS sub-parser > > I've also added new payloads to the XSS plugin which were > required > to "break out" of the new contexts we're identifying. > > These changes are part of the "develop" branch, just switch to > the > branch using "git checkout develop" and enjoy the new features (bug > reports are always welcome!). > > For those who love to read code, you'll find most of the changes > here [1] > > Enjoy! > > [0] https://github.com/andresriancho/w3af/issues/37 > [1] https://github.com/andresriancho/w3af/tree/develop/w3af/core/data > /context > > Regards, |
|
From: Andres R. <and...@gm...> - 2015-09-10 15:16:43
|
List,
I'm glad to announce that w3af can now detect 100% of the XSS
vulnerabilities in WAVSEP!
As part of the "Improve w3af's score for WAVSEP XSS by at least
20%" [0] task, I completely rewrote (twice) the context detection
engine originally developed by Taras. The new engine has the following
improvements:
* Code is easier to read
* Context detection false positive is reduced (But can still be
improved by migrating from HTMLParser to lxml)
* Added JavaScript sub-parser
* Added CSS sub-parser
I've also added new payloads to the XSS plugin which were required
to "break out" of the new contexts we're identifying.
These changes are part of the "develop" branch, just switch to the
branch using "git checkout develop" and enjoy the new features (bug
reports are always welcome!).
For those who love to read code, you'll find most of the changes here [1]
Enjoy!
[0] https://github.com/andresriancho/w3af/issues/37
[1] https://github.com/andresriancho/w3af/tree/develop/w3af/core/data/context
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2015-08-07 12:29:06
|
Tiff,
Please follow these [0] guidelines to report your bugs. Thanks!
[0] http://docs.w3af.org/en/latest/report-a-bug.html
On Fri, Aug 7, 2015 at 12:03 AM, 冠庭 羅 <bti...@ya...> wrote:
> Hi,
>
> I got some error message but I don't understand, first of all I thought that
> was because of Firewall am I right?
>
> (venv)[root@VC07-i-14A0C84F w3af]# ./w3af_api
> * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
> 127.0.0.1 - - [07/Aug/2015 10:53:21] "POST /scans/ HTTP/1.1" 201 -
> The URL: "http://testaspnet.vulnweb.com/" has .NET ViewState encryption
> disabled. This programming/configuration error could be exploited to decode
> the viewstate contents. This information was found in the request with id
> 18.
> The remote Web server sent a strange HTTP reasonmessage "", manual
> inspection is recommended. This information was found in the request with id
> 18.
> No URLs found during crawl phase.
> The following error was detected and could not be resolved:
> Failed to initialize the 404 detection, original exception was: "".
>
> Scan finished in 8 seconds.
> Stopping the core...
> ^CException TypeError: "'NoneType' object is not callable" in ignored
> Exception TypeError: "'NoneType' object is not callable" in ignored
>
> Thanks,
>
> Tiff
>
>
>
>
> Owen Tuz <ow...@gm...> 於 2015/8/6 (週四) 2:30 PM 寫道﹕
>
>
> Hi Tiff,
> Software filters based on the destination port, not the source port:
> http://stackoverflow.com/questions/21253474/source-port-vs-destination-port
> The source port is always random, as Andres says. The destination port is
> static as you are describing.
> For what it is worth, this is handled by your operating system and is true
> for all programs. It is not controlled by w3af at all.
> Best regards,
> Owen
> On 6 Aug 2015 4:51 am, "冠庭 羅" <bti...@ya...> wrote:
>
> Hi,
>
> But it's weird. Don't software filter which port has already be used, if it
> choose 22, 80 and so on?
> If it can check that's mean, it can check the open port to send packet?
>
> Because there are Firewall in front of my VM, must to let w3af to send
> packet on the same port so that I don't need to open all Firewall's port.
> or maybe some way to solve it, but not open all the port.
>
> Thanks,
>
> Tiff
>
>
>
>
> Andres Riancho <and...@gm...> 於 2015/8/6 (週四) 10:09 AM 寫道﹕
>
>
>
>
> Source ports are dynamic on all OS
>
> On Wed, Aug 5, 2015 at 10:18 PM, 冠庭 羅 <bti...@ya...> wrote:
>> Hi,
>>
>> There is an another question.
>> Is that possible for scanning be used on the static port?
>> I used wireshark to catch packet.
>> I found that the packet which send by w3af doesn't use the "same port"
>> each
>> time I start a new scanning.
>>
>> Thanks,
>>
>> Tiff
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>>
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: 冠庭 羅 <bti...@ya...> - 2015-08-07 03:06:44
|
Hi, I got some error message but I don't understand, first of all I thought that was because of Firewall am I right? (venv)[root@VC07-i-14A0C84F w3af]# ./w3af_api * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)127.0.0.1 - - [07/Aug/2015 10:53:21] "POST /scans/ HTTP/1.1" 201 -The URL: "http://testaspnet.vulnweb.com/" has .NET ViewState encryption disabled. This programming/configuration error could be exploited to decode the viewstate contents. This information was found in the request with id 18.The remote Web server sent a strange HTTP reasonmessage "", manual inspection is recommended. This information was found in the request with id 18.No URLs found during crawl phase.The following error was detected and could not be resolved:Failed to initialize the 404 detection, original exception was: "". Scan finished in 8 seconds.Stopping the core...^CException TypeError: "'NoneType' object is not callable" in ignoredException TypeError: "'NoneType' object is not callable" in ignored Thanks, Tiff Owen Tuz <ow...@gm...> 於 2015/8/6 (週四) 2:30 PM 寫道﹕ Hi Tiff, Software filters based on the destination port, not the source port:http://stackoverflow.com/questions/21253474/source-port-vs-destination-portThe source port is always random, as Andres says. The destination port is static as you are describing. For what it is worth, this is handled by your operating system and is true for all programs. It is not controlled by w3af at all. Best regards, Owen On 6 Aug 2015 4:51 am, "冠庭 羅" <bti...@ya...> wrote: Hi, But it's weird. Don't software filter which port has already be used, if it choose 22, 80 and so on?If it can check that's mean, it can check the open port to send packet? Because there are Firewall in front of my VM, must to let w3af to send packet on the same port so that I don't need to open all Firewall's port. or maybe some way to solve it, but not open all the port. Thanks, Tiff Andres Riancho <and...@gm...> 於 2015/8/6 (週四) 10:09 AM 寫道﹕ Source ports are dynamic on all OS On Wed, Aug 5, 2015 at 10:18 PM, 冠庭 羅 <bti...@ya...> wrote: > Hi, > > There is an another question. > Is that possible for scanning be used on the static port? > I used wireshark to catch packet. > I found that the packet which send by w3af doesn't use the "same port" each > time I start a new scanning. > > Thanks, > > Tiff > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ _______________________________________________ W3af-develop mailing list W3a...@li... https://lists.sourceforge.net/lists/listinfo/w3af-develop |
|
From: Piotr L. <pio...@gm...> - 2015-08-06 12:45:18
|
Dear Andres, 2015-08-06 14:06 GMT+02:00 Andres Riancho <and...@gm...>: > Piotr, > > On Thu, Aug 6, 2015 at 5:38 AM, Piotr Lizończyk > <pio...@gm...> wrote: > > Hi w3af developers community, > > I'm working on tool that discovers technologies used on websites. It's > > called WAD (https://github.com/CERN-CERT/WAD), it is based on Wappalyzer > > browser extension (https://github.com/AliasIO/Wappalyzer) and I would > like > > to create an "infrastructure" plugin for w3af, that would run it and > provide > > user with information, that we can scrape out of website's HTML content. > > Sounds good! In the past I had the same idea and wrote it as this [0] > issue. While reviewing the issue I found two "WAD" implementations: > * https://github.com/SebastianLopienski/WAD > * https://github.com/CERN-CERT/WAD > > What's the difference between these two? Are they related? > [0] https://github.com/andresriancho/w3af/issues/1081 The first repository is really old implementation of this tool in original author's repository, since then codebase has evolved as an internal tool at CERN (it was and is still maintained by Sebastian). The second (CERN-CERT) is recently published version, with main intention to make the tool available to public and to integrate it with complex solutions like w3af. > > > > The package was created at CERN and it is maintained actively for a > couple > > of years. While the process of contributing to w3af is clear, it is > obvious > > that I should ask you about adding this package as dependency, so my > work on > > the pull request is not a waste of time. > > Agreed! > > > I believe that this addition would be very valuable to w3af users, since > it > > can provide large amount of information about both backend and frontend > > technologies used on website. > > Agreed on this one too. > > Before we can integrate anything into w3af there are some things to > take into account: > * WAD code license: GPL3. AFAIK there is no problem with w3af (GPL2) > having a requirement (not bundled in the same repository) that's > licensed as GPL3 > > We chose GPL3 as license, because it works seamlessly with GPL2, under which is Wappalyzer licensed. > * DB license: You're including the db inside your repository. Are > the licenses compatible? Is this acceptable use of these files [2] ? > > This DB (apps.json file) comes directly from Wappalyzer, which is under GPLv2, so we are free to use it, as long as the license is GPL compatible. CERN-CERT team has contributed a lot into that database, as a side-note. I will include information about origin and license of those files into codebase. * Most efficient way to integrate w3af with WAD: > > - Looks like WAD is a simple wrapper around the DB, the code > is clean and tested. Entry point seems to be Detector.detect_multiple > which performs an HTTP request and then analyzes the response. The > only problem I see there is that in the w3af framework the user can > setup many HTTP client options (proxy, timeout, etc.) which won't be > respected if we just use wad's urlopen function. I guess that > Detector.detect_multiple will have to be rewritten (maybe specify a > urlopen as an optional parameter?) to use w3af's ExtendedUrllib > > This won't be a problem, I'm free to change WAD's code. Thanks for noting that, I will implement that in code. > - The information found by WAD must be stored in the knowledge > base so other plugins can re-use this information > - The information found by WAD must be stored in the knowledge > base using an Info instance with the right name and description text > so a regular user can understand what was found > I've already started working on plugin, basing on halberd.py infrastructure plugin. I successfully managed to store results in database, right now I'm working on making those results more human-readable. > > Also, I see that WAD is at pypi which makes it easier for us to use in > w3af since we can add it to the requirements file [1]. > > Not a requirement/blocker but just curious, is WAD already bundled in Kali? > No, it isn't, since the public release happened very recently. That's a very good idea though, thank you for that one, I'll surely look into it. > > To sum up, I believe everything looks good. If you send a clean PR > which uses wad as an external dependency it will be accepted. > > [0] https://pypi.python.org/pypi/wad > [1] > https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/dependency_check/requirements.py > [2] https://github.com/CERN-CERT/WAD/tree/master/wad/etc > > > I'm waiting to hear from you, with kind regards, > > Piotr Lizończyk > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > Thank you for your input and approval, I expect to deliver pull request in following days. Regards, Piotr Lizończyk |
|
From: Piotr L. <pio...@gm...> - 2015-08-06 12:41:29
|
Dear Andres, 2015-08-06 14:06 GMT+02:00 Andres Riancho <and...@gm...>: > Piotr, > > On Thu, Aug 6, 2015 at 5:38 AM, Piotr Lizończyk > <pio...@gm...> wrote: > > Hi w3af developers community, > > I'm working on tool that discovers technologies used on websites. It's > > called WAD (https://github.com/CERN-CERT/WAD), it is based on Wappalyzer > > browser extension (https://github.com/AliasIO/Wappalyzer) and I would > like > > to create an "infrastructure" plugin for w3af, that would run it and > provide > > user with information, that we can scrape out of website's HTML content. > > Sounds good! In the past I had the same idea and wrote it as this [0] > issue. While reviewing the issue I found two "WAD" implementations: > * https://github.com/SebastianLopienski/WAD > * https://github.com/CERN-CERT/WAD > > What's the difference between these two? Are they related? > [0] https://github.com/andresriancho/w3af/issues/1081 The first repository is really old implementation of this tool in original author's repository, since then codebase has evolved as an internal tool at CERN (it was and is still maintained by Sebastian). The second (CERN-CERT) is recently published version, with main intention to make the tool available to public and to integrate it with complex solutions like w3af. > > > > The package was created at CERN and it is maintained actively for a > couple > > of years. While the process of contributing to w3af is clear, it is > obvious > > that I should ask you about adding this package as dependency, so my > work on > > the pull request is not a waste of time. > > Agreed! > > > I believe that this addition would be very valuable to w3af users, since > it > > can provide large amount of information about both backend and frontend > > technologies used on website. > > Agreed on this one too. > > Before we can integrate anything into w3af there are some things to > take into account: > * WAD code license: GPL3. AFAIK there is no problem with w3af (GPL2) > having a requirement (not bundled in the same repository) that's > licensed as GPL3 > > We chose GPL3 as license, because it works seamlessly with GPL2, under which is Wappalyzer licensed. > * DB license: You're including the db inside your repository. Are > the licenses compatible? Is this acceptable use of these files [2] ? > > This DB (apps.json file) comes directly from Wappalyzer, which is under GPLv2, so we are free to use it, as long as the license is GPL compatible. CERN-CERT team has contributed a lot into that database, as a side-note. I will include information about origin and license of those files into codebase. * Most efficient way to integrate w3af with WAD: > > - Looks like WAD is a simple wrapper around the DB, the code > is clean and tested. Entry point seems to be Detector.detect_multiple > which performs an HTTP request and then analyzes the response. The > only problem I see there is that in the w3af framework the user can > setup many HTTP client options (proxy, timeout, etc.) which won't be > respected if we just use wad's urlopen function. I guess that > Detector.detect_multiple will have to be rewritten (maybe specify a > urlopen as an optional parameter?) to use w3af's ExtendedUrllib > > This won't be a problem, I'm free to change WAD's code. Thanks for noting that, I will implement that in code. > - The information found by WAD must be stored in the knowledge > base so other plugins can re-use this information > - The information found by WAD must be stored in the knowledge > base using an Info instance with the right name and description text > so a regular user can understand what was found > I've already started working on plugin, basing on halberd.py infrastructure plugin. I successfully managed to store results in database, right now I'm working on making those results more human-readable. > > Also, I see that WAD is at pypi which makes it easier for us to use in > w3af since we can add it to the requirements file [1]. > > Not a requirement/blocker but just curious, is WAD already bundled in Kali? > No, it isn't, since the public release happened very recently. That's a very good idea though, thank you for that one, I'll surely look into it. > > To sum up, I believe everything looks good. If you send a clean PR > which uses wad as an external dependency it will be accepted. > > [0] https://pypi.python.org/pypi/wad > [1] > https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/dependency_check/requirements.py > [2] https://github.com/CERN-CERT/WAD/tree/master/wad/etc > > > I'm waiting to hear from you, with kind regards, > > Piotr Lizończyk > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > Thank you for your input and approval, I expect to deliver pull request in following days. Regards, Piotr Lizończyk |
|
From: Andres R. <and...@gm...> - 2015-08-06 12:06:38
|
Piotr, On Thu, Aug 6, 2015 at 5:38 AM, Piotr Lizończyk <pio...@gm...> wrote: > Hi w3af developers community, > I'm working on tool that discovers technologies used on websites. It's > called WAD (https://github.com/CERN-CERT/WAD), it is based on Wappalyzer > browser extension (https://github.com/AliasIO/Wappalyzer) and I would like > to create an "infrastructure" plugin for w3af, that would run it and provide > user with information, that we can scrape out of website's HTML content. Sounds good! In the past I had the same idea and wrote it as this [0] issue. While reviewing the issue I found two "WAD" implementations: * https://github.com/SebastianLopienski/WAD * https://github.com/CERN-CERT/WAD What's the difference between these two? Are they related? [0] https://github.com/andresriancho/w3af/issues/1081 > The package was created at CERN and it is maintained actively for a couple > of years. While the process of contributing to w3af is clear, it is obvious > that I should ask you about adding this package as dependency, so my work on > the pull request is not a waste of time. Agreed! > I believe that this addition would be very valuable to w3af users, since it > can provide large amount of information about both backend and frontend > technologies used on website. Agreed on this one too. Before we can integrate anything into w3af there are some things to take into account: * WAD code license: GPL3. AFAIK there is no problem with w3af (GPL2) having a requirement (not bundled in the same repository) that's licensed as GPL3 * DB license: You're including the db inside your repository. Are the licenses compatible? Is this acceptable use of these files [2] ? * Most efficient way to integrate w3af with WAD: - Looks like WAD is a simple wrapper around the DB, the code is clean and tested. Entry point seems to be Detector.detect_multiple which performs an HTTP request and then analyzes the response. The only problem I see there is that in the w3af framework the user can setup many HTTP client options (proxy, timeout, etc.) which won't be respected if we just use wad's urlopen function. I guess that Detector.detect_multiple will have to be rewritten (maybe specify a urlopen as an optional parameter?) to use w3af's ExtendedUrllib - The information found by WAD must be stored in the knowledge base so other plugins can re-use this information - The information found by WAD must be stored in the knowledge base using an Info instance with the right name and description text so a regular user can understand what was found Also, I see that WAD is at pypi which makes it easier for us to use in w3af since we can add it to the requirements file [1]. Not a requirement/blocker but just curious, is WAD already bundled in Kali? To sum up, I believe everything looks good. If you send a clean PR which uses wad as an external dependency it will be accepted. [0] https://pypi.python.org/pypi/wad [1] https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/dependency_check/requirements.py [2] https://github.com/CERN-CERT/WAD/tree/master/wad/etc > I'm waiting to hear from you, with kind regards, > Piotr Lizończyk > > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Piotr L. <pio...@gm...> - 2015-08-06 08:38:44
|
Hi w3af developers community, I'm working on tool that discovers technologies used on websites. It's called WAD (https://github.com/CERN-CERT/WAD), it is based on Wappalyzer browser extension (https://github.com/AliasIO/Wappalyzer) and I would like to create an "infrastructure" plugin for w3af, that would run it and provide user with information, that we can scrape out of website's HTML content. The package was created at CERN and it is maintained actively for a couple of years. While the process of contributing to w3af is clear, it is obvious that I should ask you about adding this package as dependency, so my work on the pull request is not a waste of time. I believe that this addition would be very valuable to w3af users, since it can provide large amount of information about both backend and frontend technologies used on website. I'm waiting to hear from you, with kind regards, Piotr Lizończyk |
|
From: Owen T. <ow...@gm...> - 2015-08-06 06:30:38
|
Hi Tiff, Software filters based on the destination port, not the source port: http://stackoverflow.com/questions/21253474/source-port-vs-destination-port The source port is always random, as Andres says. The destination port is static as you are describing. For what it is worth, this is handled by your operating system and is true for all programs. It is not controlled by w3af at all. Best regards, Owen On 6 Aug 2015 4:51 am, "冠庭 羅" <bti...@ya...> wrote: > Hi, > > But it's weird. Don't software filter which port has already be used, if > it choose 22, 80 and so on? > If it can check that's mean, it can check the open port to send packet? > > Because there are Firewall in front of my VM, must to let w3af to send > packet on the same port so that I don't need to open all Firewall's port. > or maybe some way to solve it, but not open all the port. > > Thanks, > > Tiff > > > > > Andres Riancho <and...@gm...> 於 2015/8/6 (週四) 10:09 AM 寫道﹕ > > > > > Source ports are dynamic on all OS > > On Wed, Aug 5, 2015 at 10:18 PM, 冠庭 羅 <bti...@ya...> wrote: > > Hi, > > > > There is an another question. > > Is that possible for scanning be used on the static port? > > I used wireshark to catch packet. > > I found that the packet which send by w3af doesn't use the "same port" > each > > time I start a new scanning. > > > > Thanks, > > > > Tiff > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > |
|
From: 冠庭 羅 <bti...@ya...> - 2015-08-06 03:51:06
|
Hi,
But it's weird. Don't software filter which port has already be used, if it choose 22, 80 and so on?If it can check that's mean, it can check the open port to send packet?
Because there are Firewall in front of my VM, must to let w3af to send packet on the same port so that I don't need to open all Firewall's port.
or maybe some way to solve it, but not open all the port.
Thanks,
Tiff
Andres Riancho <and...@gm...> 於 2015/8/6 (週四) 10:09 AM 寫道﹕
Source ports are dynamic on all OS
On Wed, Aug 5, 2015 at 10:18 PM, 冠庭 羅 <bti...@ya...> wrote:
> Hi,
>
> There is an another question.
> Is that possible for scanning be used on the static port?
> I used wireshark to catch packet.
> I found that the packet which send by w3af doesn't use the "same port" each
> time I start a new scanning.
>
> Thanks,
>
> Tiff
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2015-08-06 02:09:18
|
Source ports are dynamic on all OS On Wed, Aug 5, 2015 at 10:18 PM, 冠庭 羅 <bti...@ya...> wrote: > Hi, > > There is an another question. > Is that possible for scanning be used on the static port? > I used wireshark to catch packet. > I found that the packet which send by w3af doesn't use the "same port" each > time I start a new scanning. > > Thanks, > > Tiff > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: 冠庭 羅 <bti...@ya...> - 2015-08-06 01:32:28
|
Hi, There is an another question.Is that possible for scanning be used on the static port?I used wireshark to catch packet.I found that the packet which send by w3af doesn't use the "same port" each time I start a new scanning. Thanks, Tiff |
|
From: Andres R. <and...@gm...> - 2015-08-05 20:50:08
|
@John: Awesome! Since Jay mentioned that he might work on this, I believe we'll have to wait and see if he's able to write the code; but something very important that's always required for a feature to be accepted in w3af is a functional test. Our functional tests are part of the django-moth [0] application. If you want to help maybe you can consider writing a couple of vulnerable scripts which use JWT. The conditions of satisfaction for this are: * At least three new scripts are created * They all receive the data over JWT * The scripts are linked / usable from django-moth main page * Different types of signing are used in the test scripts * Different vulnerabilities are exposed via JWT (xss, sqli, os commanding) This will really help with the testing process :) [0] https://github.com/andresriancho/django-moth On Wed, Aug 5, 2015 at 5:42 PM, John Martinelli <joh...@gm...> wrote: > I can help with this > > On Aug 5, 2015 4:41 PM, "Andres Riancho" <and...@gm...> wrote: >> >> Jay, >> >> Interesting subject, never came across JSON web tokens before. >> >> AFAIK nobody is working on adding this feature to the framework, >> but I would be happy if you give it a try. There seems to be a library >> we can use to handle all the encoding stuff [0] and some notes on the >> w3af-specifics: >> >> * The plugins need to be 100% abstracted of the way requests >> are encoded. Changes to JSON web tokens will only affect files in >> w3af/core/ >> * One of the most important abstractions you'll have to >> understand to add JWT to w3af is mutants [1]. Follow the code by >> looking for all the usages of JSONMutant and it should be easy to >> understand what they are. >> * The other abstraction to be added for JWT is a container [2] >> >> A couple of links that might help: >> * >> https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor >> * https://github.com/andresriancho/w3af/wiki/Contributing-101 >> >> Feel free to ask me any questions via this mailing list, or use >> the new issue I've just created [3] >> >> [0] https://github.com/jpadilla/pyjwt/ >> [1] >> https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py >> [2] >> https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py >> [3] https://github.com/andresriancho/w3af/issues/11875 >> >> On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay...@ve...> wrote: >> > Hi, >> > >> > We are using JWT token after user name/password authentication for the >> > subsequent http request. The JWT token returned as access-token and the >> > subsequent request need to include x-aacess-token as part of request. >> > Otherwise, the server under scan simply rejects http request with 401. >> > >> > Is this feature being developed or can someone point me to the code >> > where I >> > can customize myself. >> > >> > Thanks, >> > >> > Jay >> > >> > >> > ------------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > W3af-develop mailing list >> > W3a...@li... >> > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: John M. <joh...@gm...> - 2015-08-05 20:42:19
|
I can help with this On Aug 5, 2015 4:41 PM, "Andres Riancho" <and...@gm...> wrote: > Jay, > > Interesting subject, never came across JSON web tokens before. > > AFAIK nobody is working on adding this feature to the framework, > but I would be happy if you give it a try. There seems to be a library > we can use to handle all the encoding stuff [0] and some notes on the > w3af-specifics: > > * The plugins need to be 100% abstracted of the way requests > are encoded. Changes to JSON web tokens will only affect files in > w3af/core/ > * One of the most important abstractions you'll have to > understand to add JWT to w3af is mutants [1]. Follow the code by > looking for all the usages of JSONMutant and it should be easy to > understand what they are. > * The other abstraction to be added for JWT is a container [2] > > A couple of links that might help: > * > https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor > * https://github.com/andresriancho/w3af/wiki/Contributing-101 > > Feel free to ask me any questions via this mailing list, or use > the new issue I've just created [3] > > [0] https://github.com/jpadilla/pyjwt/ > [1] > https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py > [2] > https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py > [3] https://github.com/andresriancho/w3af/issues/11875 > > On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay...@ve...> wrote: > > Hi, > > > > We are using JWT token after user name/password authentication for the > > subsequent http request. The JWT token returned as access-token and the > > subsequent request need to include x-aacess-token as part of request. > > Otherwise, the server under scan simply rejects http request with 401. > > > > Is this feature being developed or can someone point me to the code > where I > > can customize myself. > > > > Thanks, > > > > Jay > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > |
|
From: Andres R. <and...@gm...> - 2015-08-05 20:40:48
|
Jay,
Interesting subject, never came across JSON web tokens before.
AFAIK nobody is working on adding this feature to the framework,
but I would be happy if you give it a try. There seems to be a library
we can use to handle all the encoding stuff [0] and some notes on the
w3af-specifics:
* The plugins need to be 100% abstracted of the way requests
are encoded. Changes to JSON web tokens will only affect files in
w3af/core/
* One of the most important abstractions you'll have to
understand to add JWT to w3af is mutants [1]. Follow the code by
looking for all the usages of JSONMutant and it should be easy to
understand what they are.
* The other abstraction to be added for JWT is a container [2]
A couple of links that might help:
* https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
* https://github.com/andresriancho/w3af/wiki/Contributing-101
Feel free to ask me any questions via this mailing list, or use
the new issue I've just created [3]
[0] https://github.com/jpadilla/pyjwt/
[1] https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py
[2] https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py
[3] https://github.com/andresriancho/w3af/issues/11875
On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay...@ve...> wrote:
> Hi,
>
> We are using JWT token after user name/password authentication for the
> subsequent http request. The JWT token returned as access-token and the
> subsequent request need to include x-aacess-token as part of request.
> Otherwise, the server under scan simply rejects http request with 401.
>
> Is this feature being developed or can someone point me to the code where I
> can customize myself.
>
> Thanks,
>
> Jay
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
28 messages has been excluded from this view by a project administrator.
