w3af-develop — dev list for w3af

[W3af-develop] taras branch cleanup @ w3af repository

[Andres R. <and...@gm...>]

Taras,

    There is a branch [0] which hasn't been touched in 3 years, and I
was wondering if I could remove it. I believe this branch came from
the SVN migration, and doesn't have anything useful in it, but I'll
wait for your confirmation before removing. Thanks!

[0] https://github.com/andresriancho/w3af/tree/taras

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

@Taras: That's odd...

On Sun, Mar 30, 2014 at 3:58 PM, Taras <ox...@ox...> wrote:
> Andres, it is strange but now everything is fine...
> I see normal tree in KB Browser.
>
> 30.03.2014 20:27, Andres Riancho пишет:
>
>> Taras,
>>
>>      Can't repro (see screenshot). If you see the console where you're
>> running w3af_gui , is there anything there that could be useful?
>> Traceback? Error?
>>
>> Regards,
>>
>> On Sun, Mar 30, 2014 at 12:45 PM, Taras <ox...@ox...> wrote:
>>>
>>> Any. KB Browser is empty in all.
>>>
>>> 30.03.2014 19:35, Andres Riancho пишет:
>>>
>>>> Any random vulns, or just of some specific type?
>>>>
>>>> On Sun, Mar 30, 2014 at 12:24 PM, Taras <ox...@ox...> wrote:
>>>>>
>>>>>
>>>>> I have found another issue. During the scan using w3af_gui I see some
>>>>> vulns
>>>>> in Log tab but "Results -> KB Browser" is empty.
>>>>>
>>>>> 30.03.2014 19:02, Taras пишет:
>>>>>
>>>>>> Andres,
>>>>>>
>>>>>> workaround with "--system-site-packages" has helped, thanks.
>>>>>> P.S. I also had to delete some installed system packages like pdfminer
>>>>>> because of version conflicts.
>>>>>>
>>>>>> 30.03.2014 18:00, Andres Riancho пишет:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This might help:
>>>>>>>
>>>>>>> cd ~
>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>> pip install virtualenv
>>>>>>> mkdir w3af-release
>>>>>>> cd w3af-release
>>>>>>> virtualenv --system-site-packages venv
>>>>>>> . venv/bin/activate
>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>> cd w3af
>>>>>>> git checkout develop
>>>>>>> ./w3af_gui
>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>
>>>>>>> Note the added "--system-site-packages"
>>>>>>>
>>>>>>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>>>>>>> <and...@gm...> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> You might be hitting something like this [0], where your virtualenv
>>>>>>>> doesn't have access to the package installed using "apt-get"
>>>>>>>>
>>>>>>>> [0]
>>>>>>>> http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>>>>>>
>>>>>>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>>>>>>> <and...@gm...> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> And if inside the virtualenv you run:
>>>>>>>>>
>>>>>>>>> pip freeze | grep gtk
>>>>>>>>>
>>>>>>>>> You get something?
>>>>>>>>>
>>>>>>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>>>>>>
>>>>>>>>>>>> Actual result:
>>>>>>>>>>>>
>>>>>>>>>>>> $ ./w3af_gui
>>>>>>>>>>>> The GTK package requirements are not met, please make sure your
>>>>>>>>>>>> system
>>>>>>>>>>>> meets
>>>>>>>>>>>> these requirements:
>>>>>>>>>>>>          - PyGTK >= 2.12
>>>>>>>>>>>>          - GTK >= 2.12
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> OS? What do you get when running:
>>>>>>>>>>>
>>>>>>>>>>>              import pygtk
>>>>>>>>>>>              pygtk.require('2.0')
>>>>>>>>>>>              import gtk
>>>>>>>>>>>              import gobject
>>>>>>>>>>>              print gtk.gtk_version >= (2, 12)
>>>>>>>>>>>              print gtk.pygtk_version >= (2, 12)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Ops, sorry I forget about this information.
>>>>>>>>>>
>>>>>>>>>> $ lsb_release -a
>>>>>>>>>> No LSB modules are available.
>>>>>>>>>> Distributor ID: Ubuntu
>>>>>>>>>> Description:    Ubuntu 13.10
>>>>>>>>>> Release:        13.10
>>>>>>>>>> Codename:       saucy
>>>>>>>>>>
>>>>>>>>>> *Inside* virtualenv:
>>>>>>>>>>
>>>>>>>>>> $ python -c 'import gtk'
>>>>>>>>>> Traceback (most recent call last):
>>>>>>>>>>       File "<string>", line 1, in <module>
>>>>>>>>>> ImportError: No module named gtk
>>>>>>>>>>
>>>>>>>>>> Outside:
>>>>>>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>>>>>>> (2, 24, 0)
>>>>>>>>>>
>>>>>>>>>> pygtk is installed as system package
>>>>>>>>>>
>>>>>>>>>> $ dpkg -l | grep python-gtk
>>>>>>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> List,
>>>>>>>>>>>>>
>>>>>>>>>>>>>           Every now and then I ask for a favor, nd... well...
>>>>>>>>>>>>> now
>>>>>>>>>>>>> I'm
>>>>>>>>>>>>>
>>>>>>>>>>>>> asking for one! The next release will be on Monday, and I need
>>>>>>>>>>>>> you
>>>>>>>>>>>>> to
>>>>>>>>>>>>> test w3af to make sure it doesn't have any critical bugs before
>>>>>>>>>>>>> I
>>>>>>>>>>>>> merge into develop into master.
>>>>>>>>>>>>>
>>>>>>>>>>>>>           I've been working hard on fixing a ton of bugs,
>>>>>>>>>>>>> improving
>>>>>>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>>>>>>
>>>>>>>>>>>>>           All 1300+ unittests PASS in the continuous
>>>>>>>>>>>>> integration
>>>>>>>>>>>>> system, but
>>>>>>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>>>>>>> minutes to help, please follow these steps to install a
>>>>>>>>>>>>> virtualenv
>>>>>>>>>>>>> with w3af inside:
>>>>>>>>>>>>>
>>>>>>>>>>>>> cd ~
>>>>>>>>>>>>> apt-get install -y python-pip # This step might change in your
>>>>>>>>>>>>> OS
>>>>>>>>>>>>> pip install virtualenv
>>>>>>>>>>>>> mkdir w3af-release
>>>>>>>>>>>>> cd w3af-release
>>>>>>>>>>>>> virtualenv venv
>>>>>>>>>>>>> . venv/bin/activate
>>>>>>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>>>>>>> cd w3af
>>>>>>>>>>>>> git checkout develop
>>>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>>>>>>
>>>>>>>>>>>>>           Please report any installation bugs here [0].
>>>>>>>>>>>>>
>>>>>>>>>>>>>           Now the fun part :) Scan a site! In the same console
>>>>>>>>>>>>> (where
>>>>>>>>>>>>> virtualenv is enabled) run:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>>>>
>>>>>>>>>>>>>           Configure w3af [1] and run a scan. Please report any
>>>>>>>>>>>>> tracebacks,
>>>>>>>>>>>>> false positives, false negatives, etc. here [0]. All your bug
>>>>>>>>>>>>> reports
>>>>>>>>>>>>> will be much appreciated!
>>>>>>>>>>>>>
>>>>>>>>>>>>>           Thanks!
>>>>>>>>>>>>>
>>>>>>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>>>>>>> [1]
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Taras
>>>>>>>>>>>> https://www.oxdef.info
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Taras
>>>>>>>>>> https://www.oxdef.info
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Andrés Riancho
>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>> Twitter: @w3af
>>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Taras
>>>>> https://www.oxdef.info
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Taras
>>> https://www.oxdef.info
>>
>>
>>
>>
>
> --
> Taras
> https://www.oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

Andres, it is strange but now everything is fine...
I see normal tree in KB Browser.

30.03.2014 20:27, Andres Riancho пишет:
> Taras,
>
>      Can't repro (see screenshot). If you see the console where you're
> running w3af_gui , is there anything there that could be useful?
> Traceback? Error?
>
> Regards,
>
> On Sun, Mar 30, 2014 at 12:45 PM, Taras <ox...@ox...> wrote:
>> Any. KB Browser is empty in all.
>>
>> 30.03.2014 19:35, Andres Riancho пишет:
>>
>>> Any random vulns, or just of some specific type?
>>>
>>> On Sun, Mar 30, 2014 at 12:24 PM, Taras <ox...@ox...> wrote:
>>>>
>>>> I have found another issue. During the scan using w3af_gui I see some
>>>> vulns
>>>> in Log tab but "Results -> KB Browser" is empty.
>>>>
>>>> 30.03.2014 19:02, Taras пишет:
>>>>
>>>>> Andres,
>>>>>
>>>>> workaround with "--system-site-packages" has helped, thanks.
>>>>> P.S. I also had to delete some installed system packages like pdfminer
>>>>> because of version conflicts.
>>>>>
>>>>> 30.03.2014 18:00, Andres Riancho пишет:
>>>>>>
>>>>>>
>>>>>> This might help:
>>>>>>
>>>>>> cd ~
>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>> pip install virtualenv
>>>>>> mkdir w3af-release
>>>>>> cd w3af-release
>>>>>> virtualenv --system-site-packages venv
>>>>>> . venv/bin/activate
>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>> cd w3af
>>>>>> git checkout develop
>>>>>> ./w3af_gui
>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>
>>>>>> Note the added "--system-site-packages"
>>>>>>
>>>>>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>>>>>> <and...@gm...> wrote:
>>>>>>>
>>>>>>>
>>>>>>> You might be hitting something like this [0], where your virtualenv
>>>>>>> doesn't have access to the package installed using "apt-get"
>>>>>>>
>>>>>>> [0]
>>>>>>> http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>>>>>
>>>>>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>>>>>> <and...@gm...> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> And if inside the virtualenv you run:
>>>>>>>>
>>>>>>>> pip freeze | grep gtk
>>>>>>>>
>>>>>>>> You get something?
>>>>>>>>
>>>>>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>>>>>
>>>>>>>>>>> Actual result:
>>>>>>>>>>>
>>>>>>>>>>> $ ./w3af_gui
>>>>>>>>>>> The GTK package requirements are not met, please make sure your
>>>>>>>>>>> system
>>>>>>>>>>> meets
>>>>>>>>>>> these requirements:
>>>>>>>>>>>          - PyGTK >= 2.12
>>>>>>>>>>>          - GTK >= 2.12
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> OS? What do you get when running:
>>>>>>>>>>
>>>>>>>>>>              import pygtk
>>>>>>>>>>              pygtk.require('2.0')
>>>>>>>>>>              import gtk
>>>>>>>>>>              import gobject
>>>>>>>>>>              print gtk.gtk_version >= (2, 12)
>>>>>>>>>>              print gtk.pygtk_version >= (2, 12)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ops, sorry I forget about this information.
>>>>>>>>>
>>>>>>>>> $ lsb_release -a
>>>>>>>>> No LSB modules are available.
>>>>>>>>> Distributor ID: Ubuntu
>>>>>>>>> Description:    Ubuntu 13.10
>>>>>>>>> Release:        13.10
>>>>>>>>> Codename:       saucy
>>>>>>>>>
>>>>>>>>> *Inside* virtualenv:
>>>>>>>>>
>>>>>>>>> $ python -c 'import gtk'
>>>>>>>>> Traceback (most recent call last):
>>>>>>>>>       File "<string>", line 1, in <module>
>>>>>>>>> ImportError: No module named gtk
>>>>>>>>>
>>>>>>>>> Outside:
>>>>>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>>>>>> (2, 24, 0)
>>>>>>>>>
>>>>>>>>> pygtk is installed as system package
>>>>>>>>>
>>>>>>>>> $ dpkg -l | grep python-gtk
>>>>>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> List,
>>>>>>>>>>>>
>>>>>>>>>>>>           Every now and then I ask for a favor, nd... well... now
>>>>>>>>>>>> I'm
>>>>>>>>>>>>
>>>>>>>>>>>> asking for one! The next release will be on Monday, and I need
>>>>>>>>>>>> you
>>>>>>>>>>>> to
>>>>>>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>>>>>>> merge into develop into master.
>>>>>>>>>>>>
>>>>>>>>>>>>           I've been working hard on fixing a ton of bugs,
>>>>>>>>>>>> improving
>>>>>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>>>>>
>>>>>>>>>>>>           All 1300+ unittests PASS in the continuous integration
>>>>>>>>>>>> system, but
>>>>>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>>>>>> minutes to help, please follow these steps to install a
>>>>>>>>>>>> virtualenv
>>>>>>>>>>>> with w3af inside:
>>>>>>>>>>>>
>>>>>>>>>>>> cd ~
>>>>>>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>>>>>>> pip install virtualenv
>>>>>>>>>>>> mkdir w3af-release
>>>>>>>>>>>> cd w3af-release
>>>>>>>>>>>> virtualenv venv
>>>>>>>>>>>> . venv/bin/activate
>>>>>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>>>>>> cd w3af
>>>>>>>>>>>> git checkout develop
>>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>>>>>
>>>>>>>>>>>>           Please report any installation bugs here [0].
>>>>>>>>>>>>
>>>>>>>>>>>>           Now the fun part :) Scan a site! In the same console
>>>>>>>>>>>> (where
>>>>>>>>>>>> virtualenv is enabled) run:
>>>>>>>>>>>>
>>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>>>
>>>>>>>>>>>>           Configure w3af [1] and run a scan. Please report any
>>>>>>>>>>>> tracebacks,
>>>>>>>>>>>> false positives, false negatives, etc. here [0]. All your bug
>>>>>>>>>>>> reports
>>>>>>>>>>>> will be much appreciated!
>>>>>>>>>>>>
>>>>>>>>>>>>           Thanks!
>>>>>>>>>>>>
>>>>>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>>>>>> [1]
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Taras
>>>>>>>>>>> https://www.oxdef.info
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Taras
>>>>>>>>> https://www.oxdef.info
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Andrés Riancho
>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>> Twitter: @w3af
>>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Taras
>>>> https://www.oxdef.info
>>>
>>>
>>>
>>>
>>
>> --
>> Taras
>> https://www.oxdef.info
>
>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

No no, my first answer was the rude one!
El 30/03/2014 15:34, "Achim Hoffmann" <web...@si...> escribió:

> Am 30.03.2014 18:23, schrieb Andres Riancho:
> >     That came out a little bit rude... let me rephrase that
>
> oops, sorry.
> It just happend while I tried to run w3af on a second older (than 1
> month;-) system
> and it failed totally.
>
> My apologies
> Achim
>
>

Re: [W3af-develop] Test the develop branch before Monday's release

[Achim H. <web...@si...>]

Am 30.03.2014 18:23, schrieb Andres Riancho:
>     That came out a little bit rude... let me rephrase that

oops, sorry.
It just happend while I tried to run w3af on a second older (than 1 month;-) system
and it failed totally.

My apologies
Achim

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

Taras,

    Can't repro (see screenshot). If you see the console where you're
running w3af_gui , is there anything there that could be useful?
Traceback? Error?

Regards,

On Sun, Mar 30, 2014 at 12:45 PM, Taras <ox...@ox...> wrote:
> Any. KB Browser is empty in all.
>
> 30.03.2014 19:35, Andres Riancho пишет:
>
>> Any random vulns, or just of some specific type?
>>
>> On Sun, Mar 30, 2014 at 12:24 PM, Taras <ox...@ox...> wrote:
>>>
>>> I have found another issue. During the scan using w3af_gui I see some
>>> vulns
>>> in Log tab but "Results -> KB Browser" is empty.
>>>
>>> 30.03.2014 19:02, Taras пишет:
>>>
>>>> Andres,
>>>>
>>>> workaround with "--system-site-packages" has helped, thanks.
>>>> P.S. I also had to delete some installed system packages like pdfminer
>>>> because of version conflicts.
>>>>
>>>> 30.03.2014 18:00, Andres Riancho пишет:
>>>>>
>>>>>
>>>>> This might help:
>>>>>
>>>>> cd ~
>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>> pip install virtualenv
>>>>> mkdir w3af-release
>>>>> cd w3af-release
>>>>> virtualenv --system-site-packages venv
>>>>> . venv/bin/activate
>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>> cd w3af
>>>>> git checkout develop
>>>>> ./w3af_gui
>>>>> . /tmp/w3af_dependency_install.sh
>>>>>
>>>>> Note the added "--system-site-packages"
>>>>>
>>>>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>>>>> <and...@gm...> wrote:
>>>>>>
>>>>>>
>>>>>> You might be hitting something like this [0], where your virtualenv
>>>>>> doesn't have access to the package installed using "apt-get"
>>>>>>
>>>>>> [0]
>>>>>> http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>>>>
>>>>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>>>>> <and...@gm...> wrote:
>>>>>>>
>>>>>>>
>>>>>>> And if inside the virtualenv you run:
>>>>>>>
>>>>>>> pip freeze | grep gtk
>>>>>>>
>>>>>>> You get something?
>>>>>>>
>>>>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>>>>
>>>>>>>>>> Actual result:
>>>>>>>>>>
>>>>>>>>>> $ ./w3af_gui
>>>>>>>>>> The GTK package requirements are not met, please make sure your
>>>>>>>>>> system
>>>>>>>>>> meets
>>>>>>>>>> these requirements:
>>>>>>>>>>         - PyGTK >= 2.12
>>>>>>>>>>         - GTK >= 2.12
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> OS? What do you get when running:
>>>>>>>>>
>>>>>>>>>             import pygtk
>>>>>>>>>             pygtk.require('2.0')
>>>>>>>>>             import gtk
>>>>>>>>>             import gobject
>>>>>>>>>             print gtk.gtk_version >= (2, 12)
>>>>>>>>>             print gtk.pygtk_version >= (2, 12)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Ops, sorry I forget about this information.
>>>>>>>>
>>>>>>>> $ lsb_release -a
>>>>>>>> No LSB modules are available.
>>>>>>>> Distributor ID: Ubuntu
>>>>>>>> Description:    Ubuntu 13.10
>>>>>>>> Release:        13.10
>>>>>>>> Codename:       saucy
>>>>>>>>
>>>>>>>> *Inside* virtualenv:
>>>>>>>>
>>>>>>>> $ python -c 'import gtk'
>>>>>>>> Traceback (most recent call last):
>>>>>>>>      File "<string>", line 1, in <module>
>>>>>>>> ImportError: No module named gtk
>>>>>>>>
>>>>>>>> Outside:
>>>>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>>>>> (2, 24, 0)
>>>>>>>>
>>>>>>>> pygtk is installed as system package
>>>>>>>>
>>>>>>>> $ dpkg -l | grep python-gtk
>>>>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> List,
>>>>>>>>>>>
>>>>>>>>>>>          Every now and then I ask for a favor, nd... well... now
>>>>>>>>>>> I'm
>>>>>>>>>>>
>>>>>>>>>>> asking for one! The next release will be on Monday, and I need
>>>>>>>>>>> you
>>>>>>>>>>> to
>>>>>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>>>>>> merge into develop into master.
>>>>>>>>>>>
>>>>>>>>>>>          I've been working hard on fixing a ton of bugs,
>>>>>>>>>>> improving
>>>>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>>>>
>>>>>>>>>>>          All 1300+ unittests PASS in the continuous integration
>>>>>>>>>>> system, but
>>>>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>>>>> minutes to help, please follow these steps to install a
>>>>>>>>>>> virtualenv
>>>>>>>>>>> with w3af inside:
>>>>>>>>>>>
>>>>>>>>>>> cd ~
>>>>>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>>>>>> pip install virtualenv
>>>>>>>>>>> mkdir w3af-release
>>>>>>>>>>> cd w3af-release
>>>>>>>>>>> virtualenv venv
>>>>>>>>>>> . venv/bin/activate
>>>>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>>>>> cd w3af
>>>>>>>>>>> git checkout develop
>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>>>>
>>>>>>>>>>>          Please report any installation bugs here [0].
>>>>>>>>>>>
>>>>>>>>>>>          Now the fun part :) Scan a site! In the same console
>>>>>>>>>>> (where
>>>>>>>>>>> virtualenv is enabled) run:
>>>>>>>>>>>
>>>>>>>>>>> ./w3af_gui
>>>>>>>>>>>
>>>>>>>>>>>          Configure w3af [1] and run a scan. Please report any
>>>>>>>>>>> tracebacks,
>>>>>>>>>>> false positives, false negatives, etc. here [0]. All your bug
>>>>>>>>>>> reports
>>>>>>>>>>> will be much appreciated!
>>>>>>>>>>>
>>>>>>>>>>>          Thanks!
>>>>>>>>>>>
>>>>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>>>>> [1]
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Taras
>>>>>>>>>> https://www.oxdef.info
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Taras
>>>>>>>> https://www.oxdef.info
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Andrés Riancho
>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>> Web Application Attack and Audit Framework
>>>>>> Twitter: @w3af
>>>>>> GPG: 0x93C344F3
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Taras
>>> https://www.oxdef.info
>>
>>
>>
>>
>
> --
> Taras
> https://www.oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

Achim,

    That came out a little bit rude... let me rephrase that :)

    I believe that it would be an awesome feature, but really hard to
code, test and maintain. I'm personally not interested in it, so I
won't do it myself, but if someone else wants to, I'm totally on board
and will merge all the pull requests.

    Let me explain why I believe it is difficult:
        * Some python dependencies have C code. That would need to be
compiled for different platforms (x86, 64, arm?)
        * Some python dependencies are wrappers around C libraries:
gtk for example. Those are difficult to bundle in a OS agnostic way,
and will also suffer from the issues from the previous point
        * It is not common, but in some cases (like with Mac and OSX
[0]) there are different dependencies for specific systems

    Not saying it is impossible... maybe things like Python wheel [1]
is what you're looking for?

    Another, more radical option would be to release w3af also as a
docker [2] image. I've experimented with that, but it seems a little
bit too new for now, since most users don't have the latest kernel
(which is a requirement for docker).

[0] https://github.com/andresriancho/w3af/issues/485
[1] http://pythonwheels.com/
[2] https://www.docker.io/

Regards,

On Sun, Mar 30, 2014 at 12:59 PM, Andres Riancho
<and...@gm...> wrote:
> That would be awesome. If you send me a pull request I'll hapily merge it.
>
> El 30/03/2014 12:44, "Achim Hoffmann" <web...@si...> escribió:
>
>> Andrés, Taras,
>>
>> it would be nice to get a w3af which runs on plain old unpatched systems
>> I.e. not everyone has, or can, or would like to install a bunch of python
>> gimmicks on her/his/ system to get one single tool running (potentially
>> breaking others).
>>
>> Is there any way that w3af contains anything it needs?
>> I can live with something simple like
>>
>>         curl ...some.website.../w3af.tgz|tar xf -&&./w3af_gui
>>
>> KISS - keep it simple secure
>> Achim
>>
>> Am 30.03.2014 17:02, schrieb Taras:
>> > Andres,
>> >
>> > workaround with "--system-site-packages" has helped, thanks.
>> > P.S. I also had to delete some installed system packages like pdfminer
>> > because of version conflicts.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

That would be awesome. If you send me a pull request I'll hapily merge it.
El 30/03/2014 12:44, "Achim Hoffmann" <web...@si...> escribió:

> Andrés, Taras,
>
> it would be nice to get a w3af which runs on plain old unpatched systems
> I.e. not everyone has, or can, or would like to install a bunch of python
> gimmicks on her/his/ system to get one single tool running (potentially
> breaking others).
>
> Is there any way that w3af contains anything it needs?
> I can live with something simple like
>
>         curl ...some.website.../w3af.tgz|tar xf -&&./w3af_gui
>
> KISS - keep it simple secure
> Achim
>
> Am 30.03.2014 17:02, schrieb Taras:
> > Andres,
> >
> > workaround with "--system-site-packages" has helped, thanks.
> > P.S. I also had to delete some installed system packages like pdfminer
> > because of version conflicts.
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

Any. KB Browser is empty in all.

30.03.2014 19:35, Andres Riancho пишет:
> Any random vulns, or just of some specific type?
>
> On Sun, Mar 30, 2014 at 12:24 PM, Taras <ox...@ox...> wrote:
>> I have found another issue. During the scan using w3af_gui I see some vulns
>> in Log tab but "Results -> KB Browser" is empty.
>>
>> 30.03.2014 19:02, Taras пишет:
>>
>>> Andres,
>>>
>>> workaround with "--system-site-packages" has helped, thanks.
>>> P.S. I also had to delete some installed system packages like pdfminer
>>> because of version conflicts.
>>>
>>> 30.03.2014 18:00, Andres Riancho пишет:
>>>>
>>>> This might help:
>>>>
>>>> cd ~
>>>> apt-get install -y python-pip # This step might change in your OS
>>>> pip install virtualenv
>>>> mkdir w3af-release
>>>> cd w3af-release
>>>> virtualenv --system-site-packages venv
>>>> . venv/bin/activate
>>>> git clone https://github.com/andresriancho/w3af.git
>>>> cd w3af
>>>> git checkout develop
>>>> ./w3af_gui
>>>> . /tmp/w3af_dependency_install.sh
>>>>
>>>> Note the added "--system-site-packages"
>>>>
>>>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>>>> <and...@gm...> wrote:
>>>>>
>>>>> You might be hitting something like this [0], where your virtualenv
>>>>> doesn't have access to the package installed using "apt-get"
>>>>>
>>>>> [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>>>
>>>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>>>> <and...@gm...> wrote:
>>>>>>
>>>>>> And if inside the virtualenv you run:
>>>>>>
>>>>>> pip freeze | grep gtk
>>>>>>
>>>>>> You get something?
>>>>>>
>>>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>>>>
>>>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>>>
>>>>>>>>> Actual result:
>>>>>>>>>
>>>>>>>>> $ ./w3af_gui
>>>>>>>>> The GTK package requirements are not met, please make sure your
>>>>>>>>> system
>>>>>>>>> meets
>>>>>>>>> these requirements:
>>>>>>>>>         - PyGTK >= 2.12
>>>>>>>>>         - GTK >= 2.12
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> OS? What do you get when running:
>>>>>>>>
>>>>>>>>             import pygtk
>>>>>>>>             pygtk.require('2.0')
>>>>>>>>             import gtk
>>>>>>>>             import gobject
>>>>>>>>             print gtk.gtk_version >= (2, 12)
>>>>>>>>             print gtk.pygtk_version >= (2, 12)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Ops, sorry I forget about this information.
>>>>>>>
>>>>>>> $ lsb_release -a
>>>>>>> No LSB modules are available.
>>>>>>> Distributor ID: Ubuntu
>>>>>>> Description:    Ubuntu 13.10
>>>>>>> Release:        13.10
>>>>>>> Codename:       saucy
>>>>>>>
>>>>>>> *Inside* virtualenv:
>>>>>>>
>>>>>>> $ python -c 'import gtk'
>>>>>>> Traceback (most recent call last):
>>>>>>>      File "<string>", line 1, in <module>
>>>>>>> ImportError: No module named gtk
>>>>>>>
>>>>>>> Outside:
>>>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>>>> (2, 24, 0)
>>>>>>>
>>>>>>> pygtk is installed as system package
>>>>>>>
>>>>>>> $ dpkg -l | grep python-gtk
>>>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> List,
>>>>>>>>>>
>>>>>>>>>>          Every now and then I ask for a favor, nd... well... now I'm
>>>>>>>>>>
>>>>>>>>>> asking for one! The next release will be on Monday, and I need you
>>>>>>>>>> to
>>>>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>>>>> merge into develop into master.
>>>>>>>>>>
>>>>>>>>>>          I've been working hard on fixing a ton of bugs, improving
>>>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>>>
>>>>>>>>>>          All 1300+ unittests PASS in the continuous integration
>>>>>>>>>> system, but
>>>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>>>>>>> with w3af inside:
>>>>>>>>>>
>>>>>>>>>> cd ~
>>>>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>>>>> pip install virtualenv
>>>>>>>>>> mkdir w3af-release
>>>>>>>>>> cd w3af-release
>>>>>>>>>> virtualenv venv
>>>>>>>>>> . venv/bin/activate
>>>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>>>> cd w3af
>>>>>>>>>> git checkout develop
>>>>>>>>>> ./w3af_gui
>>>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>>>
>>>>>>>>>>          Please report any installation bugs here [0].
>>>>>>>>>>
>>>>>>>>>>          Now the fun part :) Scan a site! In the same console (where
>>>>>>>>>> virtualenv is enabled) run:
>>>>>>>>>>
>>>>>>>>>> ./w3af_gui
>>>>>>>>>>
>>>>>>>>>>          Configure w3af [1] and run a scan. Please report any
>>>>>>>>>> tracebacks,
>>>>>>>>>> false positives, false negatives, etc. here [0]. All your bug
>>>>>>>>>> reports
>>>>>>>>>> will be much appreciated!
>>>>>>>>>>
>>>>>>>>>>          Thanks!
>>>>>>>>>>
>>>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>>>> [1]
>>>>>>>>>>
>>>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Taras
>>>>>>>>> https://www.oxdef.info
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Taras
>>>>>>> https://www.oxdef.info
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Andrés Riancho
>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>> Web Application Attack and Audit Framework
>>>>>> Twitter: @w3af
>>>>>> GPG: 0x93C344F3
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Project Leader at w3af - http://w3af.org/
>>>>> Web Application Attack and Audit Framework
>>>>> Twitter: @w3af
>>>>> GPG: 0x93C344F3
>>>>
>>>>
>>>>
>>>>
>>>
>>
>> --
>> Taras
>> https://www.oxdef.info
>
>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Test the develop branch before Monday's release

[Achim H. <web...@si...>]

Andrés, Taras,

it would be nice to get a w3af which runs on plain old unpatched systems
I.e. not everyone has, or can, or would like to install a bunch of python
gimmicks on her/his/ system to get one single tool running (potentially
breaking others).

Is there any way that w3af contains anything it needs?
I can live with something simple like

	curl ...some.website.../w3af.tgz|tar xf -&&./w3af_gui

KISS - keep it simple secure
Achim
 
Am 30.03.2014 17:02, schrieb Taras:
> Andres,
> 
> workaround with "--system-site-packages" has helped, thanks.
> P.S. I also had to delete some installed system packages like pdfminer 
> because of version conflicts.

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

Any random vulns, or just of some specific type?

On Sun, Mar 30, 2014 at 12:24 PM, Taras <ox...@ox...> wrote:
> I have found another issue. During the scan using w3af_gui I see some vulns
> in Log tab but "Results -> KB Browser" is empty.
>
> 30.03.2014 19:02, Taras пишет:
>
>> Andres,
>>
>> workaround with "--system-site-packages" has helped, thanks.
>> P.S. I also had to delete some installed system packages like pdfminer
>> because of version conflicts.
>>
>> 30.03.2014 18:00, Andres Riancho пишет:
>>>
>>> This might help:
>>>
>>> cd ~
>>> apt-get install -y python-pip # This step might change in your OS
>>> pip install virtualenv
>>> mkdir w3af-release
>>> cd w3af-release
>>> virtualenv --system-site-packages venv
>>> . venv/bin/activate
>>> git clone https://github.com/andresriancho/w3af.git
>>> cd w3af
>>> git checkout develop
>>> ./w3af_gui
>>> . /tmp/w3af_dependency_install.sh
>>>
>>> Note the added "--system-site-packages"
>>>
>>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>>> <and...@gm...> wrote:
>>>>
>>>> You might be hitting something like this [0], where your virtualenv
>>>> doesn't have access to the package installed using "apt-get"
>>>>
>>>> [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>>
>>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>>> <and...@gm...> wrote:
>>>>>
>>>>> And if inside the virtualenv you run:
>>>>>
>>>>> pip freeze | grep gtk
>>>>>
>>>>> You get something?
>>>>>
>>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>>>
>>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>>
>>>>>>>> Actual result:
>>>>>>>>
>>>>>>>> $ ./w3af_gui
>>>>>>>> The GTK package requirements are not met, please make sure your
>>>>>>>> system
>>>>>>>> meets
>>>>>>>> these requirements:
>>>>>>>>        - PyGTK >= 2.12
>>>>>>>>        - GTK >= 2.12
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> OS? What do you get when running:
>>>>>>>
>>>>>>>            import pygtk
>>>>>>>            pygtk.require('2.0')
>>>>>>>            import gtk
>>>>>>>            import gobject
>>>>>>>            print gtk.gtk_version >= (2, 12)
>>>>>>>            print gtk.pygtk_version >= (2, 12)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ops, sorry I forget about this information.
>>>>>>
>>>>>> $ lsb_release -a
>>>>>> No LSB modules are available.
>>>>>> Distributor ID: Ubuntu
>>>>>> Description:    Ubuntu 13.10
>>>>>> Release:        13.10
>>>>>> Codename:       saucy
>>>>>>
>>>>>> *Inside* virtualenv:
>>>>>>
>>>>>> $ python -c 'import gtk'
>>>>>> Traceback (most recent call last):
>>>>>>     File "<string>", line 1, in <module>
>>>>>> ImportError: No module named gtk
>>>>>>
>>>>>> Outside:
>>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>>> (2, 24, 0)
>>>>>>
>>>>>> pygtk is installed as system package
>>>>>>
>>>>>> $ dpkg -l | grep python-gtk
>>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> List,
>>>>>>>>>
>>>>>>>>>         Every now and then I ask for a favor, nd... well... now I'm
>>>>>>>>>
>>>>>>>>> asking for one! The next release will be on Monday, and I need you
>>>>>>>>> to
>>>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>>>> merge into develop into master.
>>>>>>>>>
>>>>>>>>>         I've been working hard on fixing a ton of bugs, improving
>>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>>
>>>>>>>>>         All 1300+ unittests PASS in the continuous integration
>>>>>>>>> system, but
>>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>>>>>> with w3af inside:
>>>>>>>>>
>>>>>>>>> cd ~
>>>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>>>> pip install virtualenv
>>>>>>>>> mkdir w3af-release
>>>>>>>>> cd w3af-release
>>>>>>>>> virtualenv venv
>>>>>>>>> . venv/bin/activate
>>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>>> cd w3af
>>>>>>>>> git checkout develop
>>>>>>>>> ./w3af_gui
>>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>>
>>>>>>>>>         Please report any installation bugs here [0].
>>>>>>>>>
>>>>>>>>>         Now the fun part :) Scan a site! In the same console (where
>>>>>>>>> virtualenv is enabled) run:
>>>>>>>>>
>>>>>>>>> ./w3af_gui
>>>>>>>>>
>>>>>>>>>         Configure w3af [1] and run a scan. Please report any
>>>>>>>>> tracebacks,
>>>>>>>>> false positives, false negatives, etc. here [0]. All your bug
>>>>>>>>> reports
>>>>>>>>> will be much appreciated!
>>>>>>>>>
>>>>>>>>>         Thanks!
>>>>>>>>>
>>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>>> [1]
>>>>>>>>>
>>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Taras
>>>>>>>> https://www.oxdef.info
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Taras
>>>>>> https://www.oxdef.info
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Project Leader at w3af - http://w3af.org/
>>>>> Web Application Attack and Audit Framework
>>>>> Twitter: @w3af
>>>>> GPG: 0x93C344F3
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Project Leader at w3af - http://w3af.org/
>>>> Web Application Attack and Audit Framework
>>>> Twitter: @w3af
>>>> GPG: 0x93C344F3
>>>
>>>
>>>
>>>
>>
>
> --
> Taras
> https://www.oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

I have found another issue. During the scan using w3af_gui I see some 
vulns in Log tab but "Results -> KB Browser" is empty.

30.03.2014 19:02, Taras пишет:
> Andres,
>
> workaround with "--system-site-packages" has helped, thanks.
> P.S. I also had to delete some installed system packages like pdfminer
> because of version conflicts.
>
> 30.03.2014 18:00, Andres Riancho пишет:
>> This might help:
>>
>> cd ~
>> apt-get install -y python-pip # This step might change in your OS
>> pip install virtualenv
>> mkdir w3af-release
>> cd w3af-release
>> virtualenv --system-site-packages venv
>> . venv/bin/activate
>> git clone https://github.com/andresriancho/w3af.git
>> cd w3af
>> git checkout develop
>> ./w3af_gui
>> . /tmp/w3af_dependency_install.sh
>>
>> Note the added "--system-site-packages"
>>
>> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
>> <and...@gm...> wrote:
>>> You might be hitting something like this [0], where your virtualenv
>>> doesn't have access to the package installed using "apt-get"
>>>
>>> [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>>
>>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>>> <and...@gm...> wrote:
>>>> And if inside the virtualenv you run:
>>>>
>>>> pip freeze | grep gtk
>>>>
>>>> You get something?
>>>>
>>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>>
>>>>>>> Actual result:
>>>>>>>
>>>>>>> $ ./w3af_gui
>>>>>>> The GTK package requirements are not met, please make sure your system
>>>>>>> meets
>>>>>>> these requirements:
>>>>>>>        - PyGTK >= 2.12
>>>>>>>        - GTK >= 2.12
>>>>>>
>>>>>>
>>>>>> OS? What do you get when running:
>>>>>>
>>>>>>            import pygtk
>>>>>>            pygtk.require('2.0')
>>>>>>            import gtk
>>>>>>            import gobject
>>>>>>            print gtk.gtk_version >= (2, 12)
>>>>>>            print gtk.pygtk_version >= (2, 12)
>>>>>
>>>>>
>>>>> Ops, sorry I forget about this information.
>>>>>
>>>>> $ lsb_release -a
>>>>> No LSB modules are available.
>>>>> Distributor ID: Ubuntu
>>>>> Description:    Ubuntu 13.10
>>>>> Release:        13.10
>>>>> Codename:       saucy
>>>>>
>>>>> *Inside* virtualenv:
>>>>>
>>>>> $ python -c 'import gtk'
>>>>> Traceback (most recent call last):
>>>>>     File "<string>", line 1, in <module>
>>>>> ImportError: No module named gtk
>>>>>
>>>>> Outside:
>>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>>> (2, 24, 0)
>>>>>
>>>>> pygtk is installed as system package
>>>>>
>>>>> $ dpkg -l | grep python-gtk
>>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>>
>>>>>>>>
>>>>>>>> List,
>>>>>>>>
>>>>>>>>         Every now and then I ask for a favor, nd... well... now I'm
>>>>>>>>
>>>>>>>> asking for one! The next release will be on Monday, and I need you to
>>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>>> merge into develop into master.
>>>>>>>>
>>>>>>>>         I've been working hard on fixing a ton of bugs, improving
>>>>>>>> performance, continuous integration and many other things.
>>>>>>>>
>>>>>>>>         All 1300+ unittests PASS in the continuous integration system, but
>>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>>>>> with w3af inside:
>>>>>>>>
>>>>>>>> cd ~
>>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>>> pip install virtualenv
>>>>>>>> mkdir w3af-release
>>>>>>>> cd w3af-release
>>>>>>>> virtualenv venv
>>>>>>>> . venv/bin/activate
>>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>>> cd w3af
>>>>>>>> git checkout develop
>>>>>>>> ./w3af_gui
>>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>>
>>>>>>>>         Please report any installation bugs here [0].
>>>>>>>>
>>>>>>>>         Now the fun part :) Scan a site! In the same console (where
>>>>>>>> virtualenv is enabled) run:
>>>>>>>>
>>>>>>>> ./w3af_gui
>>>>>>>>
>>>>>>>>         Configure w3af [1] and run a scan. Please report any tracebacks,
>>>>>>>> false positives, false negatives, etc. here [0]. All your bug reports
>>>>>>>> will be much appreciated!
>>>>>>>>
>>>>>>>>         Thanks!
>>>>>>>>
>>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>>> [1]
>>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Taras
>>>>>>> https://www.oxdef.info
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Taras
>>>>> https://www.oxdef.info
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Project Leader at w3af - http://w3af.org/
>>>> Web Application Attack and Audit Framework
>>>> Twitter: @w3af
>>>> GPG: 0x93C344F3
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

Andres,

workaround with "--system-site-packages" has helped, thanks.
P.S. I also had to delete some installed system packages like pdfminer 
because of version conflicts.

30.03.2014 18:00, Andres Riancho пишет:
> This might help:
>
> cd ~
> apt-get install -y python-pip # This step might change in your OS
> pip install virtualenv
> mkdir w3af-release
> cd w3af-release
> virtualenv --system-site-packages venv
> . venv/bin/activate
> git clone https://github.com/andresriancho/w3af.git
> cd w3af
> git checkout develop
> ./w3af_gui
> . /tmp/w3af_dependency_install.sh
>
> Note the added "--system-site-packages"
>
> On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
> <and...@gm...> wrote:
>> You might be hitting something like this [0], where your virtualenv
>> doesn't have access to the package installed using "apt-get"
>>
>> [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>>
>> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
>> <and...@gm...> wrote:
>>> And if inside the virtualenv you run:
>>>
>>> pip freeze | grep gtk
>>>
>>> You get something?
>>>
>>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>>> Ok, install them all. Try ./w3af_gui
>>>>>>
>>>>>> Actual result:
>>>>>>
>>>>>> $ ./w3af_gui
>>>>>> The GTK package requirements are not met, please make sure your system
>>>>>> meets
>>>>>> these requirements:
>>>>>>       - PyGTK >= 2.12
>>>>>>       - GTK >= 2.12
>>>>>
>>>>>
>>>>> OS? What do you get when running:
>>>>>
>>>>>           import pygtk
>>>>>           pygtk.require('2.0')
>>>>>           import gtk
>>>>>           import gobject
>>>>>           print gtk.gtk_version >= (2, 12)
>>>>>           print gtk.pygtk_version >= (2, 12)
>>>>
>>>>
>>>> Ops, sorry I forget about this information.
>>>>
>>>> $ lsb_release -a
>>>> No LSB modules are available.
>>>> Distributor ID: Ubuntu
>>>> Description:    Ubuntu 13.10
>>>> Release:        13.10
>>>> Codename:       saucy
>>>>
>>>> *Inside* virtualenv:
>>>>
>>>> $ python -c 'import gtk'
>>>> Traceback (most recent call last):
>>>>    File "<string>", line 1, in <module>
>>>> ImportError: No module named gtk
>>>>
>>>> Outside:
>>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>>> (2, 24, 0)
>>>>
>>>> pygtk is installed as system package
>>>>
>>>> $ dpkg -l | grep python-gtk
>>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>>
>>>>>>>
>>>>>>> List,
>>>>>>>
>>>>>>>        Every now and then I ask for a favor, nd... well... now I'm
>>>>>>>
>>>>>>> asking for one! The next release will be on Monday, and I need you to
>>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>>> merge into develop into master.
>>>>>>>
>>>>>>>        I've been working hard on fixing a ton of bugs, improving
>>>>>>> performance, continuous integration and many other things.
>>>>>>>
>>>>>>>        All 1300+ unittests PASS in the continuous integration system, but
>>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>>>> with w3af inside:
>>>>>>>
>>>>>>> cd ~
>>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>>> pip install virtualenv
>>>>>>> mkdir w3af-release
>>>>>>> cd w3af-release
>>>>>>> virtualenv venv
>>>>>>> . venv/bin/activate
>>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>>> cd w3af
>>>>>>> git checkout develop
>>>>>>> ./w3af_gui
>>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>>
>>>>>>>        Please report any installation bugs here [0].
>>>>>>>
>>>>>>>        Now the fun part :) Scan a site! In the same console (where
>>>>>>> virtualenv is enabled) run:
>>>>>>>
>>>>>>> ./w3af_gui
>>>>>>>
>>>>>>>        Configure w3af [1] and run a scan. Please report any tracebacks,
>>>>>>> false positives, false negatives, etc. here [0]. All your bug reports
>>>>>>> will be much appreciated!
>>>>>>>
>>>>>>>        Thanks!
>>>>>>>
>>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>>> [1]
>>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Taras
>>>>>> https://www.oxdef.info
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Taras
>>>> https://www.oxdef.info
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

This might help:

cd ~
apt-get install -y python-pip # This step might change in your OS
pip install virtualenv
mkdir w3af-release
cd w3af-release
virtualenv --system-site-packages venv
. venv/bin/activate
git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_gui
. /tmp/w3af_dependency_install.sh

Note the added "--system-site-packages"

On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho
<and...@gm...> wrote:
> You might be hitting something like this [0], where your virtualenv
> doesn't have access to the package installed using "apt-get"
>
> [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0
>
> On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
> <and...@gm...> wrote:
>> And if inside the virtualenv you run:
>>
>> pip freeze | grep gtk
>>
>> You get something?
>>
>> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>>> Ok, install them all. Try ./w3af_gui
>>>>>
>>>>> Actual result:
>>>>>
>>>>> $ ./w3af_gui
>>>>> The GTK package requirements are not met, please make sure your system
>>>>> meets
>>>>> these requirements:
>>>>>      - PyGTK >= 2.12
>>>>>      - GTK >= 2.12
>>>>
>>>>
>>>> OS? What do you get when running:
>>>>
>>>>          import pygtk
>>>>          pygtk.require('2.0')
>>>>          import gtk
>>>>          import gobject
>>>>          print gtk.gtk_version >= (2, 12)
>>>>          print gtk.pygtk_version >= (2, 12)
>>>
>>>
>>> Ops, sorry I forget about this information.
>>>
>>> $ lsb_release -a
>>> No LSB modules are available.
>>> Distributor ID: Ubuntu
>>> Description:    Ubuntu 13.10
>>> Release:        13.10
>>> Codename:       saucy
>>>
>>> *Inside* virtualenv:
>>>
>>> $ python -c 'import gtk'
>>> Traceback (most recent call last):
>>>   File "<string>", line 1, in <module>
>>> ImportError: No module named gtk
>>>
>>> Outside:
>>> $ python -c 'import gtk;print gtk.pygtk_version'
>>> (2, 24, 0)
>>>
>>> pygtk is installed as system package
>>>
>>> $ dpkg -l | grep python-gtk
>>> ii  python-gtk2                           2.24.0-3ubuntu1
>>>
>>>
>>>
>>>
>>>>
>>>>>
>>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>>
>>>>>>
>>>>>> List,
>>>>>>
>>>>>>       Every now and then I ask for a favor, nd... well... now I'm
>>>>>>
>>>>>> asking for one! The next release will be on Monday, and I need you to
>>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>>> merge into develop into master.
>>>>>>
>>>>>>       I've been working hard on fixing a ton of bugs, improving
>>>>>> performance, continuous integration and many other things.
>>>>>>
>>>>>>       All 1300+ unittests PASS in the continuous integration system, but
>>>>>> there's nothing like real-user testing. If you have a couple of
>>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>>> with w3af inside:
>>>>>>
>>>>>> cd ~
>>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>>> pip install virtualenv
>>>>>> mkdir w3af-release
>>>>>> cd w3af-release
>>>>>> virtualenv venv
>>>>>> . venv/bin/activate
>>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>>> cd w3af
>>>>>> git checkout develop
>>>>>> ./w3af_gui
>>>>>> . /tmp/w3af_dependency_install.sh
>>>>>>
>>>>>>       Please report any installation bugs here [0].
>>>>>>
>>>>>>       Now the fun part :) Scan a site! In the same console (where
>>>>>> virtualenv is enabled) run:
>>>>>>
>>>>>> ./w3af_gui
>>>>>>
>>>>>>       Configure w3af [1] and run a scan. Please report any tracebacks,
>>>>>> false positives, false negatives, etc. here [0]. All your bug reports
>>>>>> will be much appreciated!
>>>>>>
>>>>>>       Thanks!
>>>>>>
>>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>>> [1]
>>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>
>>>>> --
>>>>> Taras
>>>>> https://www.oxdef.info
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Taras
>>> https://www.oxdef.info
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

You might be hitting something like this [0], where your virtualenv
doesn't have access to the package installed using "apt-get"

[0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0

On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho
<and...@gm...> wrote:
> And if inside the virtualenv you run:
>
> pip freeze | grep gtk
>
> You get something?
>
> On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>>> Ok, install them all. Try ./w3af_gui
>>>>
>>>> Actual result:
>>>>
>>>> $ ./w3af_gui
>>>> The GTK package requirements are not met, please make sure your system
>>>> meets
>>>> these requirements:
>>>>      - PyGTK >= 2.12
>>>>      - GTK >= 2.12
>>>
>>>
>>> OS? What do you get when running:
>>>
>>>          import pygtk
>>>          pygtk.require('2.0')
>>>          import gtk
>>>          import gobject
>>>          print gtk.gtk_version >= (2, 12)
>>>          print gtk.pygtk_version >= (2, 12)
>>
>>
>> Ops, sorry I forget about this information.
>>
>> $ lsb_release -a
>> No LSB modules are available.
>> Distributor ID: Ubuntu
>> Description:    Ubuntu 13.10
>> Release:        13.10
>> Codename:       saucy
>>
>> *Inside* virtualenv:
>>
>> $ python -c 'import gtk'
>> Traceback (most recent call last):
>>   File "<string>", line 1, in <module>
>> ImportError: No module named gtk
>>
>> Outside:
>> $ python -c 'import gtk;print gtk.pygtk_version'
>> (2, 24, 0)
>>
>> pygtk is installed as system package
>>
>> $ dpkg -l | grep python-gtk
>> ii  python-gtk2                           2.24.0-3ubuntu1
>>
>>
>>
>>
>>>
>>>>
>>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>>
>>>>>
>>>>> List,
>>>>>
>>>>>       Every now and then I ask for a favor, nd... well... now I'm
>>>>>
>>>>> asking for one! The next release will be on Monday, and I need you to
>>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>>> merge into develop into master.
>>>>>
>>>>>       I've been working hard on fixing a ton of bugs, improving
>>>>> performance, continuous integration and many other things.
>>>>>
>>>>>       All 1300+ unittests PASS in the continuous integration system, but
>>>>> there's nothing like real-user testing. If you have a couple of
>>>>> minutes to help, please follow these steps to install a virtualenv
>>>>> with w3af inside:
>>>>>
>>>>> cd ~
>>>>> apt-get install -y python-pip # This step might change in your OS
>>>>> pip install virtualenv
>>>>> mkdir w3af-release
>>>>> cd w3af-release
>>>>> virtualenv venv
>>>>> . venv/bin/activate
>>>>> git clone https://github.com/andresriancho/w3af.git
>>>>> cd w3af
>>>>> git checkout develop
>>>>> ./w3af_gui
>>>>> . /tmp/w3af_dependency_install.sh
>>>>>
>>>>>       Please report any installation bugs here [0].
>>>>>
>>>>>       Now the fun part :) Scan a site! In the same console (where
>>>>> virtualenv is enabled) run:
>>>>>
>>>>> ./w3af_gui
>>>>>
>>>>>       Configure w3af [1] and run a scan. Please report any tracebacks,
>>>>> false positives, false negatives, etc. here [0]. All your bug reports
>>>>> will be much appreciated!
>>>>>
>>>>>       Thanks!
>>>>>
>>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>>> [1]
>>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>>
>>>>> Regards,
>>>>>
>>>>
>>>> --
>>>> Taras
>>>> https://www.oxdef.info
>>>
>>>
>>>
>>>
>>
>> --
>> Taras
>> https://www.oxdef.info
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

And if inside the virtualenv you run:

pip freeze | grep gtk

You get something?

On Sun, Mar 30, 2014 at 10:26 AM, Taras <ox...@ox...> wrote:
>>> Ok, install them all. Try ./w3af_gui
>>>
>>> Actual result:
>>>
>>> $ ./w3af_gui
>>> The GTK package requirements are not met, please make sure your system
>>> meets
>>> these requirements:
>>>      - PyGTK >= 2.12
>>>      - GTK >= 2.12
>>
>>
>> OS? What do you get when running:
>>
>>          import pygtk
>>          pygtk.require('2.0')
>>          import gtk
>>          import gobject
>>          print gtk.gtk_version >= (2, 12)
>>          print gtk.pygtk_version >= (2, 12)
>
>
> Ops, sorry I forget about this information.
>
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:    Ubuntu 13.10
> Release:        13.10
> Codename:       saucy
>
> *Inside* virtualenv:
>
> $ python -c 'import gtk'
> Traceback (most recent call last):
>   File "<string>", line 1, in <module>
> ImportError: No module named gtk
>
> Outside:
> $ python -c 'import gtk;print gtk.pygtk_version'
> (2, 24, 0)
>
> pygtk is installed as system package
>
> $ dpkg -l | grep python-gtk
> ii  python-gtk2                           2.24.0-3ubuntu1
>
>
>
>
>>
>>>
>>> 28.03.2014 01:18, Andres Riancho пишет:
>>>>
>>>>
>>>> List,
>>>>
>>>>       Every now and then I ask for a favor, nd... well... now I'm
>>>>
>>>> asking for one! The next release will be on Monday, and I need you to
>>>> test w3af to make sure it doesn't have any critical bugs before I
>>>> merge into develop into master.
>>>>
>>>>       I've been working hard on fixing a ton of bugs, improving
>>>> performance, continuous integration and many other things.
>>>>
>>>>       All 1300+ unittests PASS in the continuous integration system, but
>>>> there's nothing like real-user testing. If you have a couple of
>>>> minutes to help, please follow these steps to install a virtualenv
>>>> with w3af inside:
>>>>
>>>> cd ~
>>>> apt-get install -y python-pip # This step might change in your OS
>>>> pip install virtualenv
>>>> mkdir w3af-release
>>>> cd w3af-release
>>>> virtualenv venv
>>>> . venv/bin/activate
>>>> git clone https://github.com/andresriancho/w3af.git
>>>> cd w3af
>>>> git checkout develop
>>>> ./w3af_gui
>>>> . /tmp/w3af_dependency_install.sh
>>>>
>>>>       Please report any installation bugs here [0].
>>>>
>>>>       Now the fun part :) Scan a site! In the same console (where
>>>> virtualenv is enabled) run:
>>>>
>>>> ./w3af_gui
>>>>
>>>>       Configure w3af [1] and run a scan. Please report any tracebacks,
>>>> false positives, false negatives, etc. here [0]. All your bug reports
>>>> will be much appreciated!
>>>>
>>>>       Thanks!
>>>>
>>>> [0] https://github.com/andresriancho/w3af/issues/new
>>>> [1]
>>>> http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>>
>>>> Regards,
>>>>
>>>
>>> --
>>> Taras
>>> https://www.oxdef.info
>>
>>
>>
>>
>
> --
> Taras
> https://www.oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

>> Ok, install them all. Try ./w3af_gui
>>
>> Actual result:
>>
>> $ ./w3af_gui
>> The GTK package requirements are not met, please make sure your system meets
>> these requirements:
>>      - PyGTK >= 2.12
>>      - GTK >= 2.12
>
> OS? What do you get when running:
>
>          import pygtk
>          pygtk.require('2.0')
>          import gtk
>          import gobject
>          print gtk.gtk_version >= (2, 12)
>          print gtk.pygtk_version >= (2, 12)

Ops, sorry I forget about this information.

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 13.10
Release:	13.10
Codename:	saucy

*Inside* virtualenv:

$ python -c 'import gtk'
Traceback (most recent call last):
   File "<string>", line 1, in <module>
ImportError: No module named gtk

Outside:
$ python -c 'import gtk;print gtk.pygtk_version'
(2, 24, 0)

pygtk is installed as system package

$ dpkg -l | grep python-gtk
ii  python-gtk2                           2.24.0-3ubuntu1



>
>>
>> 28.03.2014 01:18, Andres Riancho пишет:
>>>
>>> List,
>>>
>>>       Every now and then I ask for a favor, nd... well... now I'm
>>>
>>> asking for one! The next release will be on Monday, and I need you to
>>> test w3af to make sure it doesn't have any critical bugs before I
>>> merge into develop into master.
>>>
>>>       I've been working hard on fixing a ton of bugs, improving
>>> performance, continuous integration and many other things.
>>>
>>>       All 1300+ unittests PASS in the continuous integration system, but
>>> there's nothing like real-user testing. If you have a couple of
>>> minutes to help, please follow these steps to install a virtualenv
>>> with w3af inside:
>>>
>>> cd ~
>>> apt-get install -y python-pip # This step might change in your OS
>>> pip install virtualenv
>>> mkdir w3af-release
>>> cd w3af-release
>>> virtualenv venv
>>> . venv/bin/activate
>>> git clone https://github.com/andresriancho/w3af.git
>>> cd w3af
>>> git checkout develop
>>> ./w3af_gui
>>> . /tmp/w3af_dependency_install.sh
>>>
>>>       Please report any installation bugs here [0].
>>>
>>>       Now the fun part :) Scan a site! In the same console (where
>>> virtualenv is enabled) run:
>>>
>>> ./w3af_gui
>>>
>>>       Configure w3af [1] and run a scan. Please report any tracebacks,
>>> false positives, false negatives, etc. here [0]. All your bug reports
>>> will be much appreciated!
>>>
>>>       Thanks!
>>>
>>> [0] https://github.com/andresriancho/w3af/issues/new
>>> [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>>
>>> Regards,
>>>
>>
>> --
>> Taras
>> https://www.oxdef.info
>
>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

On Sun, Mar 30, 2014 at 6:56 AM, Taras <ox...@ox...> wrote:
> Andres,
>
> don't sure if it is w3af installation bug but after first ./w3af_gui
> have
>
> $ cat /tmp/w3af_dependency_install.sh
> #!/bin/bash
>
> # Run without sudo to install inside venvpip install clamd==1.0.1
> PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.11 esmre==0.3.1
> nltk==2.0.4 chardet==2.1.1 pdfminer==20110515 futures==2.1.5
> pyOpenSSL==0.13.1 lxml==2.3.2 scapy-real==2.2.0-dev guess-language==0.2
> cluster==1.1.1b3 msgpack-python==0.2.4 python-ntlm==1.0.1 halberd==0.2.4
> xdot==0.6
> pip install --ignore-installed
> git+https://github.com/andresriancho/phply.git#egg=phply
>
> Take into attention that there is command to install only phply (missing new
> line before pip?).

Crap! That was an important new line! Commit && push.

> Ok, install them all. Try ./w3af_gui
>
> Actual result:
>
> $ ./w3af_gui
> The GTK package requirements are not met, please make sure your system meets
> these requirements:
>     - PyGTK >= 2.12
>     - GTK >= 2.12

OS? What do you get when running:

        import pygtk
        pygtk.require('2.0')
        import gtk
        import gobject
        print gtk.gtk_version >= (2, 12)
        print gtk.pygtk_version >= (2, 12)

>
> 28.03.2014 01:18, Andres Riancho пишет:
>>
>> List,
>>
>>      Every now and then I ask for a favor, nd... well... now I'm
>>
>> asking for one! The next release will be on Monday, and I need you to
>> test w3af to make sure it doesn't have any critical bugs before I
>> merge into develop into master.
>>
>>      I've been working hard on fixing a ton of bugs, improving
>> performance, continuous integration and many other things.
>>
>>      All 1300+ unittests PASS in the continuous integration system, but
>> there's nothing like real-user testing. If you have a couple of
>> minutes to help, please follow these steps to install a virtualenv
>> with w3af inside:
>>
>> cd ~
>> apt-get install -y python-pip # This step might change in your OS
>> pip install virtualenv
>> mkdir w3af-release
>> cd w3af-release
>> virtualenv venv
>> . venv/bin/activate
>> git clone https://github.com/andresriancho/w3af.git
>> cd w3af
>> git checkout develop
>> ./w3af_gui
>> . /tmp/w3af_dependency_install.sh
>>
>>      Please report any installation bugs here [0].
>>
>>      Now the fun part :) Scan a site! In the same console (where
>> virtualenv is enabled) run:
>>
>> ./w3af_gui
>>
>>      Configure w3af [1] and run a scan. Please report any tracebacks,
>> false positives, false negatives, etc. here [0]. All your bug reports
>> will be much appreciated!
>>
>>      Thanks!
>>
>> [0] https://github.com/andresriancho/w3af/issues/new
>> [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>>
>> Regards,
>>
>
> --
> Taras
> https://www.oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Test the develop branch before Monday's release

[Taras <ox...@ox...>]

Andres,

don't sure if it is w3af installation bug but after first ./w3af_gui
have

$ cat /tmp/w3af_dependency_install.sh
#!/bin/bash

# Run without sudo to install inside venvpip install clamd==1.0.1 
PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.11 
esmre==0.3.1 nltk==2.0.4 chardet==2.1.1 pdfminer==20110515 
futures==2.1.5 pyOpenSSL==0.13.1 lxml==2.3.2 scapy-real==2.2.0-dev 
guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.2.4 
python-ntlm==1.0.1 halberd==0.2.4 xdot==0.6
pip install --ignore-installed 
git+https://github.com/andresriancho/phply.git#egg=phply

Take into attention that there is command to install only phply (missing 
new line before pip?).
Ok, install them all. Try ./w3af_gui

Actual result:

$ ./w3af_gui
The GTK package requirements are not met, please make sure your system 
meets these requirements:
     - PyGTK >= 2.12
     - GTK >= 2.12


28.03.2014 01:18, Andres Riancho пишет:
> List,
>
>      Every now and then I ask for a favor, nd... well... now I'm
> asking for one! The next release will be on Monday, and I need you to
> test w3af to make sure it doesn't have any critical bugs before I
> merge into develop into master.
>
>      I've been working hard on fixing a ton of bugs, improving
> performance, continuous integration and many other things.
>
>      All 1300+ unittests PASS in the continuous integration system, but
> there's nothing like real-user testing. If you have a couple of
> minutes to help, please follow these steps to install a virtualenv
> with w3af inside:
>
> cd ~
> apt-get install -y python-pip # This step might change in your OS
> pip install virtualenv
> mkdir w3af-release
> cd w3af-release
> virtualenv venv
> . venv/bin/activate
> git clone https://github.com/andresriancho/w3af.git
> cd w3af
> git checkout develop
> ./w3af_gui
> . /tmp/w3af_dependency_install.sh
>
>      Please report any installation bugs here [0].
>
>      Now the fun part :) Scan a site! In the same console (where
> virtualenv is enabled) run:
>
> ./w3af_gui
>
>      Configure w3af [1] and run a scan. Please report any tracebacks,
> false positives, false negatives, etc. here [0]. All your bug reports
> will be much appreciated!
>
>      Thanks!
>
> [0] https://github.com/andresriancho/w3af/issues/new
> [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan
>
> Regards,
>

-- 
Taras
https://www.oxdef.info

[W3af-develop] Test the develop branch before Monday's release

[Andres R. <and...@gm...>]

List,

    Every now and then I ask for a favor, and... well... now I'm
asking for one! The next release will be on Monday, and I need you to
test w3af to make sure it doesn't have any critical bugs before I
merge into develop into master.

    I've been working hard on fixing a ton of bugs, improving
performance, continuous integration and many other things.

    All 1300+ unittests PASS in the continuous integration system, but
there's nothing like real-user testing. If you have a couple of
minutes to help, please follow these steps to install a virtualenv
with w3af inside:

cd ~
apt-get install -y python-pip # This step might change in your OS
pip install virtualenv
mkdir w3af-release
cd w3af-release
virtualenv venv
. venv/bin/activate
git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_gui
. /tmp/w3af_dependency_install.sh

    Please report any installation bugs here [0].

    Now the fun part :) Scan a site! In the same console (where
virtualenv is enabled) run:

./w3af_gui

    Configure w3af [1] and run a scan. Please report any tracebacks,
false positives, false negatives, etc. here [0]. All your bug reports
will be much appreciated!

    Thanks!

[0] https://github.com/andresriancho/w3af/issues/new
[1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Freaking fast HTTP client

[Taras <ox...@ox...>]

Andres,

Unfortunately I'm not expert in multiprocessing in Python but the idea 
(use threads for plugins and gevent for processing http transactions) 
looks pretty good!

06.03.2014 21:12, Andres Riancho пишет:
> Another idea I've been playing with during the last days is to split
> w3af into two different processes:
>   * Main: plugins run here
>   * HTTPClient and response parser
>
> Potentially use multiprocessing to connect both using a multiprocesing.Queue.
>
> The reasons to split w3af's architecture in two are:
>   * The plugins have a moderate CPU usage, the parsers (html, pdf,
> etc.) use most of the CPU. Most workstations have more than one core,
> and we're only using one. Our HTTP request/response throughput is
> today limited by the CPU (parsing). If we move parsing to a different
> process we'll benefit from other core(s). To start with I believe the
> best is to have only one process doing HTTP+parsing; but the code
> should be written in such a way that we can have multiple processes
> for that.
>
>   * We use threads to send/receive HTTP requests/responses, which is
> not the best way to do it. They consume resources (memory) and are not
> as fast as other options. Threads and gevent (to name one) don't play
> well together, so it would bring many issues to have gevent and
> threads in the same process. That's why I'll split in two processes
> and use threads for plugins and gevent for sending http requests.
>
> NOT going to be working on this during the following months, but
> wanted to hear your input and experiences with architectures like the
> one proposed.
>
> Regards,
>
> On Tue, Jun 5, 2012 at 10:03 AM, Andres Riancho
> <and...@gm...> wrote:
>> Taras,
>>
>> On Mon, Jun 4, 2012 at 5:00 PM, Taras <ox...@ox...> wrote:
>>> Andres,
>>> geventhttpclient looks very fast HTTP client!
>>> Did you also try Twisted? Can you make simple comparison in req/s for:
>>>
>>> 1. currently used in w3af solution (urllib+threads)
>>> 2. geventhttpclient
>>> 3. Twisted
>>
>> I tried Twisted, not good compared with what geventhttpclient has to offer.
>>
>>>
>>>>      During the last hours I've been trying to find a faster HTTP
>>>> client to integrate into w3af, and also performed some experiments
>>>> [0]. After testing some implementations, clients, programming
>>>> methodologies, etc. It seems that I've found the winner:
>>>> geventhttpclient [1].
>>>>
>>>>      With my tests with different methods I was only able to achieve
>>>> ~650 req/s , but according to geventhttpclient's home page it can
>>>> achieve ~4000 req/s (when tested in my environment it was around ~3500
>>>> req/s). This is VERY impressive.
>>>>
>>>>      There are some bad things about this library, like the C code used
>>>> for parsing the HTTP response which could bring some issues to Windows
>>>> users; and its dependency on gevent which adds one more dependency to
>>>> w3af; but with such a huge perf enhancement... I don't care ;)
>>>
>>> geventhttpclient hasn't package even in Debian/Ubuntu :(
>>
>> Yep, it's a very new library, only released a couple of months ago,
>>
>>> Only gevent bindings for Python:
>>>
>>> $ aptitude search gevent
>>> p   python-gevent
>>
>> With that + geventhttpclient's code (which can be used without the
>> HTTP response parser and thus making it a pure-python library) we
>> should be ok. I'll finish the error handling stuff and then I'm
>> starting with some experiments with this library to see what we can
>> get.
>>
>>>
>>>>
>>>>      Has someone researched on the topic of fast HTTP clients? Opinions?
>>>> Ideas?
>>>>
>>>> [0]
>>>> http://sourceforge.net/apps/trac/w3af/browser/extras/measure_http?rev=5041
>>>> [1] https://github.com/gwik/geventhttpclient
>>>>
>>>> Regards,
>>>
>>>
>>>
>>> --
>>> Taras
>>> http://oxdef.info
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>

-- 
Taras
https://www.oxdef.info

Re: [W3af-develop] Help needed - SAML-based auth plugin

[Andres R. <and...@gm...>]

Andre,

On Fri, Mar 21, 2014 at 3:59 PM, Andre Daniels <and...@uc...> wrote:
> Andres,
>
> Thanks for the insanely quick reply.

Hopefully I'll keep it this way :D

> Sorry, I haven't yet figured out how to post to the actual thread...checking
> docs...

Just reply to all to the email and it should work.
I added you to the mailing list after your first email

> I cannot just add an option for the url. I need to know what url is being
> tested or to catch the redirect that will happen when the framework is
> trying to access a protected resource.

Hmmm... I believe I don't know enough about SAML to help you, maybe
the following <p> helps.

> The code I have currently doesn't do much. I will post it as soon as I know
> I am barking up the right tree. So the issue I see is this:

Recommendation: Write your plugin to work with the feature/module
branch. It will be the next stable release.

> When the w3af framework attempts to access a SAML protected url when running
> a plugin (say...spidering) it will be redirected to first login on the SSO
> server that is configured for that resource. (typically shibd)
> The auth plugin must intercept that redirect and manage the login on the SSO
> server. I have configuration parameters for u and pwd as in generic.py
> The auth plugin needs to inform the opener to post to a specific page on the
> original target to verify the SSO login was successful. There is javascript
> on the response from the SSO server that posts form data containing login
> verification data.
> That post, once verified by shibd,  will redirect the opener to the original
> requested resource
> The shibd daemon uses cookies to keep track of the session.
>
> Is this possible with an auth plugin? Where can I get hooks to this
> implement this process?

Hah! Well... it is the first time I've found something like this, and
the architecture isn't prepared for it. If we can make it work, it
will:
    * Be a hack
    * Require some re-architecture

For what I can see at [0] there will be a first login() call to all
auth plugins before starting the scan. Maybe that's where you want to
start doing things.

Also, the target can be found while the scan is running from the
w3afCore.target object. Not tested this code but it will give you the
idea:

from w3af.core.controllers.core_helpers.target import w3af_core_target
t = w3af_core_target()
opts = t.get_options()
print opts['targets']


[0] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/core_helpers/strategy.py#L437

> Thanks,
> Andre
>
> Remembering to remove signature this time...



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Help needed - SAML-based auth plugin

[Andres R. <and...@gm...>]

Andre,

On Fri, Mar 21, 2014 at 2:47 PM, Andre Daniels <and...@uc...> wrote:
>
> Hello All,
>
> I have not been able to find one so I am attempting to build a SAML-based
> auth plugin. I am digging around in the object hierarchy but I have not yet
> fully understood a couple of things and was hoping someone could give me
> some guidance. I have tested this script that can perform a SAML login using
> a urllib2 object and a CookieJar but I am not yet sure how to integrate this
> with the AuthPlugin class.
>
> The script executes this code:
>
> cj = cookielib.CookieJar()
> self.opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
>
> I am not sure how to intercept the urllib2 object that has the context of
> the actual tests being performed. I need to process a login and then set
> cookies for that object.
>
> I think I just need to use self.url_opener, yes? This object is the one
> actually performing the tests?

Yes, the self.url_opener of the auth plugins is the HTTP client used
to send requests during the whole test. You need to use that one to
authenticate with SAML, OR authenticate with a different one and then
set the cookies in self.url_opener.

> Additionally, how can I get the url being
> tested from that object?

Well, you don't get it from there because... it's not there!
I recommend you to use the plugin configuration (see: get_options /
set_options) to set the URL, username and password.

> I am currently attempting to use self.url_opener to login into our IDP and
> then set it's internal cookie jar with the cookies needed to perform further
> authenticated tests.

If you post your code to a gist, then I might be able to be of more help

> Let me know if you have an suggestions. Also, are there any additional
> documents describing the object model in w3af that I should view?

Nope, but I'm always here to help and we can write a nice RST document
for other auth plugin writers when we finish

Regards,

> Thanks,
> Andre
>
> --
> Andre Daniels
> Sr. Developer/Security Analyst
> University of California Santa Cruz
> (831)459-1980
> and...@uc...
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-develop] Help needed - SAML-based auth plugin

[Andre D. <and...@uc...>]

Hello All,

I have not been able to find one so I am attempting to build a SAML-based
 auth plugin. I am digging around in the object hierarchy but I have not
yet fully understood a couple of things and was hoping someone could give
me some guidance. I have tested
this<https://github.com/djui/saml-client/blob/master/saml.py> script
that can perform a SAML login using a urllib2 object and a CookieJar but I
am not yet sure how to integrate this with the AuthPlugin class.

The script executes this code:

cj = cookielib.CookieJar()
self.opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

I am not sure how to intercept the urllib2 object that has the context of
the actual tests being performed. I need to process a login and then set
cookies for that object.

I think I just need to use self.url_opener, yes? This object is the one
actually performing the tests? Additionally, how can I get the url being
tested from that object?

I am currently attempting to use self.url_opener to login into our IDP and
then set it's internal cookie jar with the cookies needed to perform
further authenticated tests.

Let me know if you have an suggestions. Also, are there any additional
documents describing the object model in w3af that I should view?

Thanks,
Andre

-- 
Andre Daniels
Sr. Developer/Security Analyst
University of California Santa Cruz
(831)459-1980
and...@uc...

Re: [W3af-develop] Need help from Mac users!

[Leandro R. <lea...@gm...>]

Of course my dear


On Fri, Mar 21, 2014 at 2:00 PM, Andres Riancho <and...@gm...>wrote:

> But... you do have osx to run some tests, right?
>
> On Fri, Mar 21, 2014 at 1:58 PM, Leandro Reox <lea...@gm...>
> wrote:
> > I have a mac ... but it runs Debias as main os :)
> >
> > On Mar 21, 2014 1:38 PM, "Robin Wood" <ro...@di...> wrote:
> >>
> >> On 21 March 2014 16:35, Andres Riancho <and...@gm...>
> wrote:
> >> > You chickened out ;) ;)
> >>
> >> I don't have a Mac any more thank god.
> >>
> >> > On Fri, Mar 21, 2014 at 1:31 PM, Robin Wood <ro...@di...>
> wrote:
> >> >> On 21 March 2014 16:26, Andres Riancho <and...@gm...>
> >> >> wrote:
> >> >>> Robin, Leandro,
> >> >>>
> >> >>>     Thanks for volunteering, to help please join the IRC [0] so we
> can
> >> >>> chat. I'm __apr__ at the #w3af channel, I'm available now and until
> >> >>> 3pm GMT-3 (aprox)
> >> >>>
> >> >>
> >> >> Wasn't volunteering just pointing out the time had passed but I just
> >> >> realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3.
> >> >>
> >> >> Robin
> >> >>
> >> >>> [0] http://w3af.org/community
> >> >>>
> >> >>> On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <
> lea...@gm...>
> >> >>> wrote:
> >> >>>> I can help you Andres
> >> >>>>
> >> >>>> On Mar 21, 2014 12:53 PM, "Andres Riancho" <
> and...@gm...>
> >> >>>> wrote:
> >> >>>>>
> >> >>>>> List,
> >> >>>>>
> >> >>>>>     I'm trying to fix an ugly bug that only affects Mac users [0]
> >> >>>>> and
> >> >>>>> because I don't have any installations of that OS it is really
> hard
> >> >>>>> to
> >> >>>>> make any progress. Could someone give me a hand? All you need is
> >> >>>>> some
> >> >>>>> time, minimal python knowledge and the will to help.
> >> >>>>>
> >> >>>>>     Find me at 2pm GMT-3 (in one hour) at IRC
> >> >>>>>     http://w3af.org/community
> >> >>>>>
> >> >>>>> [0] https://github.com/andresriancho/w3af/issues/485
> >> >>>>>
> >> >>>>> Regards,
> >> >>>>> --
> >> >>>>> Andrés Riancho
> >> >>>>> Project Leader at w3af - http://w3af.org/
> >> >>>>> Web Application Attack and Audit Framework
> >> >>>>> Twitter: @w3af
> >> >>>>> GPG: 0x93C344F3
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> ------------------------------------------------------------------------------
> >> >>>>> Learn Graph Databases - Download FREE O'Reilly Book
> >> >>>>> "Graph Databases" is the definitive new guide to graph databases
> and
> >> >>>>> their
> >> >>>>> applications. Written by three acclaimed leaders in the field,
> >> >>>>> this first edition is now available. Download your free book
> today!
> >> >>>>> http://p.sf.net/sfu/13534_NeoTech
> >> >>>>> _______________________________________________
> >> >>>>> W3af-develop mailing list
> >> >>>>> W3a...@li...
> >> >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Andrés Riancho
> >> >>> Project Leader at w3af - http://w3af.org/
> >> >>> Web Application Attack and Audit Framework
> >> >>> Twitter: @w3af
> >> >>> GPG: 0x93C344F3
> >> >>>
> >> >>>
> >> >>>
> ------------------------------------------------------------------------------
> >> >>> Learn Graph Databases - Download FREE O'Reilly Book
> >> >>> "Graph Databases" is the definitive new guide to graph databases and
> >> >>> their
> >> >>> applications. Written by three acclaimed leaders in the field,
> >> >>> this first edition is now available. Download your free book today!
> >> >>> http://p.sf.net/sfu/13534_NeoTech
> >> >>> _______________________________________________
> >> >>> W3af-develop mailing list
> >> >>> W3a...@li...
> >> >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >> >
> >> >
> >> >
> >> > --
> >> > Andrés Riancho
> >> > Project Leader at w3af - http://w3af.org/
> >> > Web Application Attack and Audit Framework
> >> > Twitter: @w3af
> >> > GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>