w3af-users — User mailing list

[W3af-users] Authenticated spider issues and questions

[Volker S. <vol...@re...>]

Hi,

I'm new to w3af and start to get deeper into authentication. I use only two PlugIns: crawl->web_spider and auth->detailed. The current site is using a form in phpLogin.php. This is doing a JS redirect so I use phpAccontSummary.php to verify if user was logged in successfully (searching there for "Log out").

This is the config for auth-detailed:
[auth.detailed]
username = pen...@my...
password = EGjv4gmj
username_field = txtUsername
password_field = txtPassword
auth_url = https://vsprovider2.de.mysystem.com/phpLogin.php?action=login
check_url = https://vsprovider2.de.mysystem.com/phpAccountSummary.php
check_string = Log out
data_format = %u=%U&%p=%P
follow_redirects = False
method = POST
url_encode_params = True


Due to the website logs, login for user "Pentest Pentest" (ID 3) was successful several times:

2018-04-25 09:12:25 	USER_LOGIN_SUCCESS 	Pentest Pentest (3)
2018-04-25 09:12:20 	USER_LOGIN_SUCCESS 	Pentest Pentest (3)
2018-04-25 09:12:15 	USER_LOGIN_SUCCESS 	Pentest Pentest (3)


In the GUI log I get this:

[Mi 25 Apr 2018 09:12:25 CEST] Can't login into web application as pen...@my.../EGjv4gmj


In the console output (using GUI) of w3af I can find such entries:

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=19,from_cache=0,grep=0,rtt=0.01,did=None)
User "pen...@my..." is NOT logged into the application
POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: "txtUsername=pen...@my...&txtPassword=EGjv4gmj" returned HTTP code "200" (id=20,from_cache=0,grep=1,rtt=0.06,did=None)
GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=21,from_cache=0,grep=0,rtt=0.03,did=None)
User "pen...@my..." is currently logged into the application
Login success for pen...@my.../EGjv4gmj
detailed._login() took 0.11s to run

(...many other spider entries...)

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=74,from_cache=0,grep=0,rtt=0.04,did=None)
User "pen...@my..." is NOT logged into the application

(...a few other spider entries...)

ET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=78,from_cache=0,grep=0,rtt=0.04,did=None)
User "pen...@my..." is currently logged into the application
Login success for pen...@my.../EGjv4gmj
detailed._login() took 0.18s to run

(...many other spider entries...)

GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=111,from_cache=0,grep=0,rtt=0.01,did=None)
User "pen...@my..." is NOT logged into the application
web_spider.discover(https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php)
web_spider is testing "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"
[web_spider] Crawling "https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php"
GET https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php returned HTTP code "302" (id=112,from_cache=0,grep=1,rtt=0.01,did=None)
web_spider.discover(uri="https://vsprovider2.de.mysystem.com/phpCreateRegifyLocal.php") took 0.02s to run
POST https://vsprovider2.de.mysystem.com/phpLogin.php?action=login with data: "txtUsername=pen...@my...&txtPassword=EGjv4gmj" returned HTTP code "200" (id=113,from_cache=0,grep=1,rtt=0.07,did=None)
GET https://vsprovider2.de.mysystem.com/phpAccountSummary.php returned HTTP code "200" (id=114,from_cache=0,grep=0,rtt=0.01,did=None)
User "pen...@my..." is NOT logged into the application
Can't login into web application as pen...@my.../EGjv4gmj

So this are very mixed results (sometimes success sometimes not) and I do not know why it sometimes reports successful login and sometimes it does not?

Due to the request navigator and the results to phpLogin.php there, login was always successful if w3af sent the correct login data by POST. I can see that phpAccontSummary.php delivered positive results sometimes.

Also, even if it was successful, it seems it does not spider the links found in phpAccontSummary.php. All the new links inside there are not listed in the URL's found.

I can see that w3af does not send the session cookie received during the first phpLogin.php all the time. It seems to forget sometimes. If not set, the webpage creates a new sessionid and returns it. So the logged in session is somehow lost. Why is it not always sending the session cookie? In Configuration->HTTP Config->Cookies, the ignore option is NOT set and the cookie_jar_file is empty. Anything to do here?

I'm a little bit lost now because the things I see seem not logical to me at all :(

Best

Kukulkan

Re: [W3af-users] Authenticated Scan

[Adrien de B. <adr...@gm...>]

Hi Amanda,

it appears as though that web page is expecting a forms based
authentication, not basic auth.

Cheers,
Adrien


On Mon, Apr 2, 2018 at 10:22 AM, Amanda <ama...@un...> wrote:

> Hello everyone!
>
> First of all, I would like to thank everyone that helped with my last
> question. I was able to find what I was looking for!
>
> I have another one: I'm trying to perform an authenticated scan, but I'm
> not succeeding.
>
> The page I'm trying to authenticate to is this one:
> http://prope.unesp.br/pibic/acesso_sistema.php. It's a simple http, so I
> thought that only with the following configuration I would be able to
> authenticate.
>
> This is how I have set W3af:
>
> set basic_auth_user username
> set basic_auth_passwd password
> set basic_auth_domain http://prope.unesp.br/pibic/acesso_sistema.php
>
> However, it doesn't work; it looks like it keeps trying to authenticate
> and can't.
>
> Can someone help me?
>
> Thanks in advance.
>
> Amanda
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>

[W3af-users] Authenticated Scan

[Amanda <ama...@un...>]

Hello everyone!

First of all, I would like to thank everyone that helped with my last
question. I was able to find what I was looking for!

I have another one: I'm trying to perform an authenticated scan, but I'm
not succeeding.

The page I'm trying to authenticate to is this one:
http://prope.unesp.br/pibic/acesso_sistema.php. It's a simple http, so I
thought that only with the following configuration I would be able to
authenticate.

This is how I have set W3af:

set basic_auth_user username
set basic_auth_passwd password
set basic_auth_domain http://prope.unesp.br/pibic/acesso_sistema.php

However, it doesn't work; it looks like it keeps trying to authenticate
and can't.

Can someone help me?

Thanks in advance.

Amanda

Re: [W3af-users] Can't find files that contain the vulnerabilities' description for report generation

[Andres R. <and...@gm...>]

Amanda,

    Thanks for your email and sorry for the late response.

    The vulnerability database data is in this repository [0] and
there have been some efforts to translate it to other languages [1][2]
but sadly I've been unable to deliver the fix for [2] which is a
blocker for translations.

    I'm completely new to the translation space, do you know about any
tools we can use to help with the translations? If I complete [2], how
would you provide the translations? A pull request?

[0] https://github.com/vulndb/data
[1] https://github.com/vulndb/data/issues/26
[2] https://github.com/vulndb/data/issues/30

On Mon, Mar 5, 2018 at 4:48 PM, Amanda <ama...@sj...> wrote:
> Hello!
>
> I would like to translate the vulnerabilities' descriptions (name,
> description, long description) in the XML reports to Brazilian Portuguese.
>
> However, I couldn't find the files that contain this descriptions and
> that are used to generate the XML reports. Can someone help me?
>
> Thank you in advance.
>
>
> Amanda
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Can't find files that contain the vulnerabilities' description for report generation

[Amanda <ama...@sj...>]

Hello! 

I would like to translate the vulnerabilities' descriptions (name,
description, long description) in the XML reports to Brazilian Portuguese.

However, I couldn't find the files that contain this descriptions and
that are used to generate the XML reports. Can someone help me?

Thank you in advance.


Amanda

Re: [W3af-users] can I scan when I crawl the site?

[Andres R. <and...@gm...>]

Sorry but I failed to understand the question. Could you please rephrase
it?

El 5 sept. 2017 12:22 a. m., "MengYuan Yang" <my...@gm...> escribió:

>
> from the document, i know w3af will request a set of urls, then it scan
> they all.
>
> can I feed w3af some urls, then i continue crawl and feed it another?
>
> I can split the scan task to many and scan it part to part, but is there a
> easy way to achieve scan and crawl same time?
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

[W3af-users] can I scan when I crawl the site?

[MengYuan Y. <my...@gm...>]

from the document, i know w3af will request a set of urls, then it scan
they all.

can I feed w3af some urls, then i continue crawl and feed it another?

I can split the scan task to many and scan it part to part, but is there a
easy way to achieve scan and crawl same time?

Re: [W3af-users] does w3af handle javascript

[Andres R. <and...@gm...>]

Donald,

    Sadly there is no javascript engine in w3af. There are plans [0] for
implementing a javascript crawler, but I haven't worked on that idea in a
while and have no plans on doing it either.

[0] https://github.com/andresriancho/w3af/milestone/9

On Mon, May 15, 2017 at 3:47 PM, Don Raikes <DON...@or...> wrote:

> Hello,
>
>
>
> I am new to w3af, and am attempting to test a web application that
> utilizes javascript for things like the login page and many other features,
> in fact it is a mostly javascript-based application.
>
>
>
> Does w3af work with this type of application?
>
> Is there anything special I need to do to get it to work?
>
>
>
> My first attempt resulted in no successful login to the application, but
> several broken links fou nd.
>
>
>
> Thanks in advance,
>
> Donald
>
>
>
> --
> Thank you, Donald
>
> [image: Oracle] <http://www.oracle.com/>
> Donald Raikes | Accessibility Specialist / QA Security Point of Contact
> Phone: +15205744033
> Oracle Application Development Framework
> STREET | , Arizona ZIPCODE
>
> [image: Green Oracle] <http://www.oracle.com/commitment>
>
> Oracle is committed to developing practices and products that help protect
> the environment
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] does w3af handle javascript

[Don R. <DON...@OR...>]

Hello,

 

I am new to w3af, and am attempting to test a web application that utilizes javascript for things like the login page and many other features, in fact it is a mostly javascript-based application.

 

Does w3af work with this type of application?

Is there anything special I need to do to get it to work?

 

My first attempt resulted in no successful login to the application, but several broken links fou nd.

 

Thanks in advance,

Donald

 

-- 
Thank you, Donald

HYPERLINK "http://www.oracle.com/" \nOracle
Donald Raikes | Accessibility Specialist / QA Security Point of Contact
Phone: HYPERLINK "tel:+15205744033"+15205744033 
Oracle Application Development Framework
STREET | , Arizona ZIPCODE 

HYPERLINK "http://www.oracle.com/commitment" \nGreen Oracle

Oracle is committed to developing practices and products that help protect the environment

 

Re: [W3af-users] most recent tutorials

[Andres R. <and...@gm...>]

Ali,

    I believe docs.w3af.org is the best source for w3af information
and how to perform different tasks

On Sat, Nov 5, 2016 at 1:38 PM, Ali Khalfan <ali...@gm...> wrote:
> Hi Andres,
>
>
> Where can I find the most recent tutorials related to w3af?  I haven't
> been using it for a while and was considering adding it to my swiss army
> knife of pen test tools.
>
>
>
> Thanks,
>
> Ali
>
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] CVE/CVSS-W3af compatibility

[Andres R. <and...@gm...>]

Waqas,

    Some vulnerabilities, such as SQL injection should display vulndb
data [0] in the UI and some output reports. vulndb references owasp
top10, and cwe. The complete list of vulnerabilities which include
this description is here [1]. This is only available in the latest
w3af versions.

[0] https://github.com/vulndb/data/blob/master/db/45-sql-injection.json
[1] https://github.com/vulndb/data/tree/master/db

On Wed, Nov 16, 2016 at 7:57 AM, Waqas Aman <waq...@gm...> wrote:
> Hi,
> I just started using the tool. I was wondering whether the w3af scan results
> include the CVE/CVSS information of the vulnerabilities found, or
> information of other standard vuln.DBs/standards for the matter. I didn't
> see such info yet, may be I am missing it.
> IF not provided natively,, are there any external plugins that can be
> installed on the w3af to add such info to the vuln. found. And, if there
> isnt any such plugins available, are there any other opensource web vuln
> scanners whose scans reveal CVE/CVSS or related information?
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Enviando por correo electrónico: w3af_crash-rYdgy.txt

[carlos c. <edi...@ya...>]

El mensaje está listo para enviarse con los siguientes archivos o 
vínculos adjuntos:
w3af_crash-rYdgy.txt

Nota: para protegerse de virus, los programas de correo electrónico 
pueden impedir el envío o recepción de ciertos archivos adjuntos. 
Consulte la configuración de seguridad del programa.

[W3af-users] CVE/CVSS-W3af compatibility

[Waqas A. <waq...@gm...>]

Hi,
I just started using the tool. I was wondering whether the w3af scan
results include the CVE/CVSS information of the vulnerabilities found, or
information of other standard vuln.DBs/standards for the matter. I didn't
see such info yet, may be I am missing it.
IF not provided natively,, are there any external plugins that can be
installed on the w3af to add such info to the vuln. found. And, if there
isnt any such plugins available, are there any other opensource web vuln
scanners whose scans reveal CVE/CVSS or related information?

[W3af-users] C:\Users\Administrador\AppData\Local\Temp\w3af_crash-i9wdr.txt

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
   File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 
233, in _impactDone
     raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el 
equipo de destino denegó expresamente dicha conexión

[W3af-users] facebook.com

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
   File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 
233, in _impactDone
     raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el 
equipo de destino denegó expresamente dicha conexión

[W3af-users] most recent tutorials

[Ali K. <ali...@gm...>]

Hi Andres,


Where can I find the most recent tutorials related to w3af?  I haven't
been using it for a while and was considering adding it to my swiss army
knife of pen test tools.



Thanks,

Ali

Re: [W3af-users] How to give username and password

[ad^2 <ads...@gm...>]

Suhas,

I'm going to quote Andres here so I don't have to type up the same answer
in my own words.  See the RTFM and STFW section in the URL provided. ;-)

It should take you 30 second to find this answer on the w3af site. Good
luck.


"   If you've got the time, please read [0]: "In the world of hackers,
the kind of answers you get to your technical questions depends as
much on the way you ask the questions as on the difficulty of
developing the answer. This guide will teach you how to ask questions
in a way more likely to get you a satisfactory answer."

[0] http://www.catb.org/esr/faqs/smart-questions.html

Regards,"






On Mon, Oct 24, 2016 at 1:45 AM, Suhas Lalige <suh...@gm...> wrote:

> Hi,
>
> I wanted to know is there any way to give username and password for the
> given webpage which we use as target
>
> Thanks
> Suhas
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

[W3af-users] How to give username and password

[Suhas L. <suh...@gm...>]

Hi,

I wanted to know is there any way to give username and password for the
given webpage which we use as target

Thanks
Suhas

Re: [W3af-users] W3af is not doing PT

[Shreyas M R <shr...@gm...>]

That I know. But I'm not able to resolve it.
I'm having OWASP broken web apps in my system, Everyone knows it has
security issues but I'm still not able to get any exploit in that.

Sometimes I get exploit sometimes I dont. Is there any way to resolve this
http timeout error.
I have tried giving max timeout(which is 30 second in w3af) still it didnt
yield nothing

Thanks
Shreyas



[image: --]

Shreyas M R
[image: http://]about.me/shreyasmrs
<http://about.me/shreyasmrs?promo=email_sig>


On Wed, Oct 12, 2016 at 7:36 PM, ad^2 <ads...@gm...> wrote:

> Hey Shreyas,
>
> According to the output of "report-full audit.html" there was a connection
> issue. There were a number of 'HTTP timeout errors'.
>
> The sqli plugin got an error while requesting "http://demo.testfire.net/
> subscribe.aspx". Reason: "HTTP timeout error"
> rror"
>
>
> Thx,
>
> ad^2
>
> On Wed, Oct 12, 2016 at 2:34 AM, Shreyas M R <shr...@gm...>
> wrote:
>
>> Hi,
>>
>> Thanks for suggestions ad^2
>> Sorry for late reply
>>
>> 1) I have used w3af version: 1.6.54
>> 2) I used console to do the scan as gui hangs sometimes
>> 3) I used Full audit profile (other than this i didnt not use any plugins
>> or exploit)
>> 4) scan output I'm sharing as attachment
>>
>>
>> the steps I followed are
>> profiles Full audit
>> plugins output html_file, csv_file
>> target set target http://demo.testfire.net
>> start
>>
>> I have different output for same profile and same target.
>>
>> Please help me out in this
>>
>> Thanks
>> Shreyas
>>
>>
>>
>>
>>
>>
>> [image: --]
>>
>> Shreyas M R
>> [image: http://]about.me/shreyasmrs
>> <http://about.me/shreyasmrs?promo=email_sig>
>>
>>
>> On Wed, Oct 5, 2016 at 9:15 PM, ad^2 <ads...@gm...> wrote:
>>
>>> Hello,
>>>
>>> First, it's always good to include the steps you used to reproduce the
>>> issue reported. Help us the community help you by providing more details
>>> and things you have tried.
>>>
>>> What version of w3af?
>>> GUI or Console?
>>> Your selection of plugins/profiles/exploits, etc.?  (you mentioned OWASP
>>> top 10).
>>> What is the output of the scan?
>>>
>>>
>>> Try this and let me know if you find something interesting.
>>>
>>> w3af -s testfire.w3af.script
>>>
>>> [testfire script file contents]
>>>
>>> profiles use audit_high_risk
>>> plugins output html_file
>>> plugins output config html_file
>>> set output_file /root/testfire.html
>>> back
>>> plugins audit blind_sqli sqli
>>> target set target http://demo.testfire.net
>>> start
>>>
>>>
>>>
>>>
>>> Thx,
>>>
>>> ad^2
>>>
>>>
>>>
>>>
>>> On Wed, Oct 5, 2016 at 1:59 AM, Shreyas M R <shr...@gm...>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm using w3af owasp top10 profile on http://demo.testfire.net/ which
>>>> has sqli and xss vulnerabilities. I'm not getting any vulnerabilities from
>>>> w3af scan. please anyone help me out in this.
>>>>
>>>>
>>>>
>>>>
>>>> [image: --]
>>>>
>>>> Shreyas M R
>>>> [image: http://]about.me/shreyasmrs
>>>> <http://about.me/shreyasmrs?promo=email_sig>
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> W3af-users mailing list
>>>> W3a...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>
>>>>
>>>
>>
>

[W3af-users] Install problem

[Dan R. <da...@da...>]

Hi—

I apologize in advance for asking this newbie question. 

I’m trying to install w3af on a Mac using the instructions on w3af.org/download <http://w3af.org/download>. I’m a total python newbie. I got w3af from github, then ran ./w3af_gui and got the list of unmet dependencies. When I run the script, however, I’m getting some errors. Below is the list of errors. 

If the answer is, “Python newbies shouldn’t try to run w3af, I’m OK with that.” If not, some advice on what I need to do to fix this would be appreciated.

Thanks!

Dan


  Found existing installation: six 1.4.1
    DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
    Uninstalling six-1.4.1:
Exception:
Traceback (most recent call last):
  File "/Library/Python/2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/Library/Python/2.7/site-packages/pip/commands/install.py", line 317, in run
    prefix=options.prefix_path,
  File "/Library/Python/2.7/site-packages/pip/req/req_set.py", line 736, in install
    requirement.uninstall(auto_confirm=True)
  File "/Library/Python/2.7/site-packages/pip/req/req_install.py", line 742, in uninstall
    paths_to_remove.remove(auto_confirm)
  File "/Library/Python/2.7/site-packages/pip/req/req_uninstall.py", line 115, in remove
    renames(path, new_path)
  File "/Library/Python/2.7/site-packages/pip/utils/__init__.py", line 267, in renames
    shutil.move(old, new)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 302, in move
    copy2(src, real_dst)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 131, in copy2
    copystat(src, dst)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 103, in copystat
    os.chflags(dst, st.st <http://st.st/>_flags)
OSError: [Errno 1] Operation not permitted: '/tmp/pip-4fjuC2-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'

Re: [W3af-users] W3af is not doing PT

[ad^2 <ads...@gm...>]

Hey Shreyas,

According to the output of "report-full audit.html" there was a connection
issue. There were a number of 'HTTP timeout errors'.

The sqli plugin got an error while requesting "
http://demo.testfire.net/subscribe.aspx". Reason: "HTTP timeout error"
rror"


Thx,

ad^2

On Wed, Oct 12, 2016 at 2:34 AM, Shreyas M R <shr...@gm...> wrote:

> Hi,
>
> Thanks for suggestions ad^2
> Sorry for late reply
>
> 1) I have used w3af version: 1.6.54
> 2) I used console to do the scan as gui hangs sometimes
> 3) I used Full audit profile (other than this i didnt not use any plugins
> or exploit)
> 4) scan output I'm sharing as attachment
>
>
> the steps I followed are
> profiles Full audit
> plugins output html_file, csv_file
> target set target http://demo.testfire.net
> start
>
> I have different output for same profile and same target.
>
> Please help me out in this
>
> Thanks
> Shreyas
>
>
>
>
>
>
> [image: --]
>
> Shreyas M R
> [image: http://]about.me/shreyasmrs
> <http://about.me/shreyasmrs?promo=email_sig>
>
>
> On Wed, Oct 5, 2016 at 9:15 PM, ad^2 <ads...@gm...> wrote:
>
>> Hello,
>>
>> First, it's always good to include the steps you used to reproduce the
>> issue reported. Help us the community help you by providing more details
>> and things you have tried.
>>
>> What version of w3af?
>> GUI or Console?
>> Your selection of plugins/profiles/exploits, etc.?  (you mentioned OWASP
>> top 10).
>> What is the output of the scan?
>>
>>
>> Try this and let me know if you find something interesting.
>>
>> w3af -s testfire.w3af.script
>>
>> [testfire script file contents]
>>
>> profiles use audit_high_risk
>> plugins output html_file
>> plugins output config html_file
>> set output_file /root/testfire.html
>> back
>> plugins audit blind_sqli sqli
>> target set target http://demo.testfire.net
>> start
>>
>>
>>
>>
>> Thx,
>>
>> ad^2
>>
>>
>>
>>
>> On Wed, Oct 5, 2016 at 1:59 AM, Shreyas M R <shr...@gm...>
>> wrote:
>>
>>> Hi,
>>>
>>> I'm using w3af owasp top10 profile on http://demo.testfire.net/ which
>>> has sqli and xss vulnerabilities. I'm not getting any vulnerabilities from
>>> w3af scan. please anyone help me out in this.
>>>
>>>
>>>
>>>
>>> [image: --]
>>>
>>> Shreyas M R
>>> [image: http://]about.me/shreyasmrs
>>> <http://about.me/shreyasmrs?promo=email_sig>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> W3af-users mailing list
>>> W3a...@li...
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>
>>>
>>
>

[W3af-users] (no subject)

[carlos c. <edi...@ya...>]

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión