w3af-users — User mailing list

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

[W3af-users] Fwd: https://sourceforge.net/p/indraprojet2016bug/

[carlos c. <edi...@ya...>]

Submit this bug here: https://sourceforge.net/apps/trac/w3af/newticket 

Python version:
2.6.6 (r266:84297, Aug 24 2010, 18:46:32) [MSC v.1500 32 bit (Intel)]

GTK version:2.22.0
PyGTK version:2.22.0


w3af - Web Application Attack and Audit Framework
Version: 1.1 (from SVN server)
Revision: 4286
Author: Andres Riancho and the w3af team.
Traceback (most recent call last):
  File "C:\Program Files\w3af\w3af\core\ui\gtkUi\reqResViewer.py", line 233, in _impactDone
    raise impact.exception
w3afMustStopOnUrlError: No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión

Re: [W3af-users] W3af is not doing PT

[ad^2 <ads...@gm...>]

Hello,

First, it's always good to include the steps you used to reproduce the
issue reported. Help us the community help you by providing more details
and things you have tried.

What version of w3af?
GUI or Console?
Your selection of plugins/profiles/exploits, etc.?  (you mentioned OWASP
top 10).
What is the output of the scan?


Try this and let me know if you find something interesting.

w3af -s testfire.w3af.script

[testfire script file contents]

profiles use audit_high_risk
plugins output html_file
plugins output config html_file
set output_file /root/testfire.html
back
plugins audit blind_sqli sqli
target set target http://demo.testfire.net
start




Thx,

ad^2




On Wed, Oct 5, 2016 at 1:59 AM, Shreyas M R <shr...@gm...> wrote:

> Hi,
>
> I'm using w3af owasp top10 profile on http://demo.testfire.net/ which has
> sqli and xss vulnerabilities. I'm not getting any vulnerabilities from w3af
> scan. please anyone help me out in this.
>
>
>
>
> [image: --]
>
> Shreyas M R
> [image: http://]about.me/shreyasmrs
> <http://about.me/shreyasmrs?promo=email_sig>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

[W3af-users] W3af is not doing PT

[Shreyas M R <shr...@gm...>]

Hi,

I'm using w3af owasp top10 profile on http://demo.testfire.net/ which has
sqli and xss vulnerabilities. I'm not getting any vulnerabilities from w3af
scan. please anyone help me out in this.




[image: --]

Shreyas M R
[image: http://]about.me/shreyasmrs
<http://about.me/shreyasmrs?promo=email_sig>

Re: [W3af-users] how to update pluggin

[Andres R. <and...@gm...>]

Mohsen,

    I've been linking to this document too often these last weeks:
"How To Ask Questions The Smart Way" [0]. Sorry but based on your
"question" I can only guess what your problem is. Please explain it a
little bit more, follow guidelines from [0] and most likely someone
will answer.

[0] http://www.catb.org/esr/faqs/smart-questions.html

On Fri, Sep 30, 2016 at 1:08 PM, mohsen Abbaspour
<moh...@gm...> wrote:
> hi
>
> i want to   get   pluggin and   add this pluggin to another w3af  app  on
> another system that cant connect to internet
> how  to get pluggin
>
> tnx
>
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] how to update pluggin

[mohsen A. <moh...@gm...>]

hi

i want to   get   pluggin and   add this pluggin to another w3af  app  on
another system that cant connect to internet
how  to get pluggin

tnx

-- 




Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH

Re: [W3af-users] how many attack pluggin and pattern are there in w3af ?

[Andres R. <and...@gm...>]

Please take a moment to read this document [0] and try again :)

[0] http://www.catb.org/esr/faqs/smart-questions.html

On Fri, Sep 23, 2016 at 5:31 AM, mohsen Abbaspour
<moh...@gm...> wrote:
> hi
> i have  a question
> how many   attack  plugin and pattern  are there in w3af??
> please    introduce more about it
> tnx
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] Regarding scan of w3af

[Andres R. <and...@gm...>]

Can't repro if you don't give me the details

On Thu, Sep 22, 2016 at 8:26 AM, Suhas Lalige <suh...@gm...> wrote:

> I had enabled the same plugins and the target was also the same for the
> second time. It was the same repetition of the first step but i'm not
> getting the same result
>
> On 20 September 2016 at 23:52, Andres Riancho <and...@gm...>
> wrote:
>
>> Suhas,
>>
>>     Well... most likely the two scans had different plugins enabled.
>> But if not... is there any way I can reproduce this potential issue?
>>
>> On Tue, Sep 20, 2016 at 11:44 AM, Suhas Lalige <suh...@gm...>
>> wrote:
>> > Hi all
>> > I'm new to w3af. I tried running the scan by enabling crawl and audit
>> > plugin, first time I got SQL injection vulnerabilities second time when
>> I
>> > repeated it again I could not find any vulnerabilities please help me
>> out in
>> > solving this issue
>> > Thanks
>> > Suhas
>> >
>> >
>> > ------------------------------------------------------------
>> ------------------
>> >
>> > _______________________________________________
>> > W3af-users mailing list
>> > W3a...@li...
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[Andres R. <and...@gm...>]

Ah, your initial bug report never mentioned pexpect.

^J is a control char, new line according to [0]. This doesn't seem to
be a w3af problem.

[0] http://www.robelle.com/smugbook/ascii.html

On Fri, Sep 23, 2016 at 3:20 PM, ravi keerthi m d
<rav...@gm...> wrote:
> Even I tried the same way it works..  But while using pexpect python module
> I'm facing issue..
>
> Let's think it's a pexpect issue,  but the same module works for Metasploit,
> nessus,  etc..
>
> On Sep 23, 2016 11:45 PM, "Andres Riancho" <and...@gm...> wrote:
>>
>> Works on my PC (tm)
>>
>> [pablo:/home/pablo] 35m40s $ ssh pablo@127.0.0.1
>> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
>> ECDSA key fingerprint is a0:6d:ef:23:e0:e0:0a:3a:63:67:cd:1d:4f:79:4d:4e.
>> Are you sure you want to continue connecting (yes/no)? yes
>> Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
>> pablo@127.0.0.1's password:
>> Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-96-generic x86_64)
>>
>>  * Documentation:  https://help.ubuntu.com/
>>
>> Last login: Mon Aug  8 13:59:49 2016
>> [pablo@eulogias:/home/pablo] 1 $ cd pch/w3af/
>> [pablo@eulogias:/home/pablo/pch/w3af] master ± ./w3af_console
>> w3af>>> plugins
>> w3af/plugins>>> back
>> w3af>>> exit
>>
>> Liked it? Donate some money!
>>
>> [pablo@eulogias:/home/pablo/pch/w3af] master 12s ±
>>
>>
>>
>> On Thu, Sep 22, 2016 at 4:42 PM, ravi keerthi m d
>> <rav...@gm...> wrote:
>> >
>> >> > Hi,
>> >> >
>> >> > Manually I am able to execute my w3af commands successfully. When
>> >> > trying
>> >> > to
>> >> > execute same w3af commands using a ssh connection then it is
>> >> > appending a
>> >> > ^J,
>> >> > so whatever commands I am executing it is executing like "^Jplugins".
>> >> >
>> >> >
>> >> > Example:
>> >> > root@kali# w3af_console
>> >> > w3af >>> ^J
>> >> >
>> >> > this is the first output after executing w3af_console using ssh
>> >> > connection
>> >> > handler, now when I execute "plugins" command the output looks like
>> >> > this
>> >> >
>> >> >
>> >> > root@kali# w3af_console
>> >> > w3af >>> ^Jplugins
>> >> >
>> >> > It is saying command not found.
>> >> >
>> >> >
>> >> > Can you please help me out in this. Because using same ssh connection
>> >> > handler I am able to run metasploit framework commands on msfconsole.
>> >> >
>> >> >
>> >> > Thanks,
>> >> > Ravi
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> Project Leader at w3af - http://w3af.org/
>> >> Web Application Attack and Audit Framework
>> >> Twitter: @w3af
>> >> GPG: 0x93C344F3
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > W3af-users mailing list
>> > W3a...@li...
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[ravi k. m d <rav...@gm...>]

Even I tried the same way it works..  But while using pexpect python module
I'm facing issue..

Let's think it's a pexpect issue,  but the same module works for
Metasploit,  nessus,  etc..
On Sep 23, 2016 11:45 PM, "Andres Riancho" <and...@gm...> wrote:

> Works on my PC (tm)
>
> [pablo:/home/pablo] 35m40s $ ssh pablo@127.0.0.1
> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
> ECDSA key fingerprint is a0:6d:ef:23:e0:e0:0a:3a:63:67:cd:1d:4f:79:4d:4e.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
> pablo@127.0.0.1's password:
> Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-96-generic x86_64)
>
>  * Documentation:  https://help.ubuntu.com/
>
> Last login: Mon Aug  8 13:59:49 2016
> [pablo@eulogias:/home/pablo] 1 $ cd pch/w3af/
> [pablo@eulogias:/home/pablo/pch/w3af] master ± ./w3af_console
> w3af>>> plugins
> w3af/plugins>>> back
> w3af>>> exit
>
> Liked it? Donate some money!
>
> [pablo@eulogias:/home/pablo/pch/w3af] master 12s ±
>
>
>
> On Thu, Sep 22, 2016 at 4:42 PM, ravi keerthi m d
> <rav...@gm...> wrote:
> >
> >> > Hi,
> >> >
> >> > Manually I am able to execute my w3af commands successfully. When
> trying
> >> > to
> >> > execute same w3af commands using a ssh connection then it is
> appending a
> >> > ^J,
> >> > so whatever commands I am executing it is executing like "^Jplugins".
> >> >
> >> >
> >> > Example:
> >> > root@kali# w3af_console
> >> > w3af >>> ^J
> >> >
> >> > this is the first output after executing w3af_console using ssh
> >> > connection
> >> > handler, now when I execute "plugins" command the output looks like
> this
> >> >
> >> >
> >> > root@kali# w3af_console
> >> > w3af >>> ^Jplugins
> >> >
> >> > It is saying command not found.
> >> >
> >> >
> >> > Can you please help me out in this. Because using same ssh connection
> >> > handler I am able to run metasploit framework commands on msfconsole.
> >> >
> >> >
> >> > Thanks,
> >> > Ravi
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
> > ------------------------------------------------------------
> ------------------
> >
> > _______________________________________________
> > W3af-users mailing list
> > W3a...@li...
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>

Re: [W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[Andres R. <and...@gm...>]

Works on my PC (tm)

[pablo:/home/pablo] 35m40s $ ssh pablo@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is a0:6d:ef:23:e0:e0:0a:3a:63:67:cd:1d:4f:79:4d:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
pablo@127.0.0.1's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Aug  8 13:59:49 2016
[pablo@eulogias:/home/pablo] 1 $ cd pch/w3af/
[pablo@eulogias:/home/pablo/pch/w3af] master ± ./w3af_console
w3af>>> plugins
w3af/plugins>>> back
w3af>>> exit

Liked it? Donate some money!

[pablo@eulogias:/home/pablo/pch/w3af] master 12s ±



On Thu, Sep 22, 2016 at 4:42 PM, ravi keerthi m d
<rav...@gm...> wrote:
>
>> > Hi,
>> >
>> > Manually I am able to execute my w3af commands successfully. When trying
>> > to
>> > execute same w3af commands using a ssh connection then it is appending a
>> > ^J,
>> > so whatever commands I am executing it is executing like "^Jplugins".
>> >
>> >
>> > Example:
>> > root@kali# w3af_console
>> > w3af >>> ^J
>> >
>> > this is the first output after executing w3af_console using ssh
>> > connection
>> > handler, now when I execute "plugins" command the output looks like this
>> >
>> >
>> > root@kali# w3af_console
>> > w3af >>> ^Jplugins
>> >
>> > It is saying command not found.
>> >
>> >
>> > Can you please help me out in this. Because using same ssh connection
>> > handler I am able to run metasploit framework commands on msfconsole.
>> >
>> >
>> > Thanks,
>> > Ravi
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] facing issue while executing commands inside w3af console when connected through ssh connection handler

[ravi k. m d <rav...@gm...>]

> > Hi,
> >
> > Manually I am able to execute my w3af commands successfully. When
trying to
> > execute same w3af commands using a ssh connection then it is appending
a ^J,
> > so whatever commands I am executing it is executing like "^Jplugins".
> >
> >
> > Example:
> > root@kali# w3af_console
> > w3af >>> ^J
> >
> > this is the first output after executing w3af_console using ssh
connection
> > handler, now when I execute "plugins" command the output looks like this
> >
> >
> > root@kali# w3af_console
> > w3af >>> ^Jplugins
> >
> > It is saying command not found.
> >
> >
> > Can you please help me out in this. Because using same ssh connection
> > handler I am able to run metasploit framework commands on msfconsole.
> >
> >
> > Thanks,
> > Ravi
> >
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3

Re: [W3af-users] Regarding scan of w3af

[Suhas L. <suh...@gm...>]

I had enabled the same plugins and the target was also the same for the
second time. It was the same repetition of the first step but i'm not
getting the same result

On 20 September 2016 at 23:52, Andres Riancho <and...@gm...>
wrote:

> Suhas,
>
>     Well... most likely the two scans had different plugins enabled.
> But if not... is there any way I can reproduce this potential issue?
>
> On Tue, Sep 20, 2016 at 11:44 AM, Suhas Lalige <suh...@gm...>
> wrote:
> > Hi all
> > I'm new to w3af. I tried running the scan by enabling crawl and audit
> > plugin, first time I got SQL injection vulnerabilities second time when I
> > repeated it again I could not find any vulnerabilities please help me
> out in
> > solving this issue
> > Thanks
> > Suhas
> >
> >
> > ------------------------------------------------------------
> ------------------
> >
> > _______________________________________________
> > W3af-users mailing list
> > W3a...@li...
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>

Re: [W3af-users] Regarding scan of w3af

[Andres R. <and...@gm...>]

Suhas,

    Well... most likely the two scans had different plugins enabled.
But if not... is there any way I can reproduce this potential issue?

On Tue, Sep 20, 2016 at 11:44 AM, Suhas Lalige <suh...@gm...> wrote:
> Hi all
> I'm new to w3af. I tried running the scan by enabling crawl and audit
> plugin, first time I got SQL injection vulnerabilities second time when I
> repeated it again I could not find any vulnerabilities please help me out in
> solving this issue
> Thanks
> Suhas
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Regarding scan of w3af

[Suhas L. <suh...@gm...>]

Hi all
I'm new to w3af. I tried running the scan by enabling crawl and audit
plugin, first time I got SQL injection vulnerabilities second time when I
repeated it again I could not find any vulnerabilities please help me out
in solving this issue
Thanks
Suhas

Re: [W3af-users] w3af on owasp

[Andres R. <and...@gm...>]

Shreyas,

    I believe that your question is way too open. To answer it someone
would have to spend considerable time setting up the environment,
running w3af, etc.

    If you've got the time, please read [0]: "In the world of hackers,
the kind of answers you get to your technical questions depends as
much on the way you ask the questions as on the difficulty of
developing the answer. This guide will teach you how to ask questions
in a way more likely to get you a satisfactory answer."

[0] http://www.catb.org/esr/faqs/smart-questions.html

Regards,

On Thu, Sep 15, 2016 at 2:34 PM, Shreyas M R <shr...@gm...> wrote:
> I ran w3af on owaspbwa I could not exploit the vulns.
> Can anyone help me with the plugin details and configuration
>
>
> Awaiting for reply
>
> Thanks and Regards
>
>
>
> Shreyas M R
> about.me/shreyasmrs
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] w3af on owasp

[Shreyas M R <shr...@gm...>]

I ran w3af on owaspbwa I could not exploit the vulns.
Can anyone help me with the plugin details and configuration


Awaiting for reply

Thanks and Regards



[image: --]

Shreyas M R
[image: http://]about.me/shreyasmrs
<http://about.me/shreyasmrs?promo=email_sig>

Re: [W3af-users] HTTP redirect

[Andres R. <and...@gm...>]

I believe the answer is in the authentication part of docs [0], most
likely in [1].

Regarding 2FA, the way I would do it is to authenticate using a
browser, then get the cookie and set it in w3af as explained in [1]

[0] http://docs.w3af.org/en/latest/authentication.html
[1] http://docs.w3af.org/en/latest/authentication.html#setting-http-cookie

On Thu, Sep 1, 2016 at 9:16 PM, Vimal SRINIVASAN <onl...@gm...> wrote:
> Nice point highlighted by Blaharski. I am curious what if the SSO have 2FA.
>
> Regards,
> Vimal.
>
>
> On Sep 1, 2016 11:11 PM, "Blaharski, Jared" <jar...@co...>
> wrote:
>>
>> To Whom It May Concern:
>>
>>
>>
>> The website that we would like to scan has a SSO system and a HTTP
>> redirect. Will your software have any trouble with handling that when doing
>> the crawl through the website?
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> W3af-users mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] HTTP redirect

[Vimal S. <onl...@gm...>]

Nice point highlighted by Blaharski. I am curious what if the SSO have 2FA.

Regards,
Vimal.

On Sep 1, 2016 11:11 PM, "Blaharski, Jared" <jar...@co...>
wrote:

> To Whom It May Concern:
>
>
>
> The website that we would like to scan has a SSO system and a HTTP
> redirect. Will your software have any trouble with handling that when doing
> the crawl through the website?
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

Re: [W3af-users] HTTP redirect

[Taras <ox...@ox...>]

Hi, Jared!

You can try! ;)

В Чт, 01/09/2016 в 14:54 +0000, Blaharski, Jared пишет:
> To Whom It May Concern:
>  
> The website that we would like to scan has a SSO system and a HTTP
> redirect. Will your software have any trouble with handling that when
> doing the crawl through the website?
> -------------------------------------------------------------------
> -----------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
-- 
Taras
https://oxdef.info

[W3af-users] HTTP redirect

[Blaharski, J. <jar...@co...>]

To Whom It May Concern:

The website that we would like to scan has a SSO system and a HTTP redirect. Will your software have any trouble with handling that when doing the crawl through the website?

Re: [W3af-users] W3AF scan behaviour (now in users list)

[Andres R. <and...@gm...>]

Tiago,

On Sat, Jul 23, 2016 at 12:32 PM, Tiago Vieira <tia...@no...> wrote:
> Hello,
>
> My name is Tiago, I'm doing a master thesis in web security and I'm using
> w3af to perform some tests.
>
> My question is related with the scan, when we select a URL to attack, does
> the application performs posts on that URL?

Most likely not, it depends on the plugins you enabled.

If you enabled the web_spider plugin it will perform a GET to the URL,
retrieve the forms, and perform POST on those forms.

> I've tried manual requests and fuzzing but this does not allow simple
> parametrization for multiple requests and I would prefer using the available
> plugins.
>
> One of the applications I'm testing has several assync requests and I wanted
> to test each one of them with the available plugins.

You may want to read:
http://docs.w3af.org/en/latest/advanced-use-cases.html

> Thank you
> Best regards
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.http://sdm.link/zohodev2dev
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] W3AF scan behaviour (now in users list)

[Tiago V. <tia...@no...>]

Hello,

My name is Tiago, I'm doing a master thesis in web security and I'm using w3af to perform some tests.

My question is related with the scan, when we select a URL to attack, does the application performs posts on that URL?

I've tried manual requests and fuzzing but this does not allow simple parametrization for multiple requests and I would prefer using the available plugins.

One of the applications I'm testing has several assync requests and I wanted to test each one of them with the available plugins.

Thank you
Best regards?