w3af-users — User mailing list

Re: [W3af-users] W3AF Docker and Windows

[Andres R. <and...@gm...>]

On Thu, Nov 12, 2015 at 6:16 PM, Vojtěch Polášek <kr...@gm...> wrote:
> Hi,
> it is Openssh running on Windows, so it should work.
> I am passing the .prv file as an argument, I hope it is right.

You shouldn't hope, use -v (verbose) to debug the ssh connection, this
will tell you if the ssh client is sending the key, etc.

> Is there
> any other possibility to enter commands into the running container?

https://docs.docker.com/engine/reference/commandline/exec/

> Thanks,
> Vojta
>
> Dne 12.11.2015 v 16:05 Andres Riancho napsal(a):
>> Vojtěch,
>>
>> On Thu, Nov 12, 2015 at 8:47 AM, Vojtěch Polášek <kr...@gm...> wrote:
>>> Greetings,
>>> still no luck. Is it important to mount w3af and w3af-shared volmues to
>>> be able to at least log in?
>> The volumes [0] AFAIK are not required. If you don't set them w3af
>> will create the /root/.w3af inside the docker file system.
>>
>> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/common/docker_helpers.py#L10-L11
>>
>>> It would be greate if someone, who is more experienced with docker,
>>> could try this. I am running following commands in Powershell:
>>> docker-machine start mytest
>>> docker-machine env --shell=powershell mytest | Invoke-expression
>>> docker run -d andresriancho/w3af
>>> docker ps works correctly and displays running sshd daemon on port 22
>> Looks good.
>>
>>> docker logs <container_id> does not show anything
>>> docker top ,container_id> shows only sshd running
>> Ok
>>
>>> When I try to run command posted in the previous mail, still receiving
>>> password prompt and w3af as a password does not work.
>>> Any ideas?
>> Yes, I already asked: Are you sure your SSH client expects the private
>> key to be set using -i ?
>>
>>> Thank you very much,
>>> Vojta
>>>
>>> Dne 2.11.2015 v 21:34 Andres Riancho napsal(a):
>>>> I've never done that in Windows, but it should work. You should try to
>>>> follow the same steps which are outlined for Linux here [0]. I suspect
>>>> you already did most of those since you found the ssh private key.
>>>> It's strange that the docker image is asking you for a password if
>>>> you're providing a SSH key; maybe -i is not the right flag in your ssh
>>>> client?
>>>>
>>>> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker
>>>>
>>>> On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <kr...@gm...> wrote:
>>>>> Hi,
>>>>> does anyone here have experience running W3AF within Docker on Windows.
>>>>> I installed docker, downloaded W3AF and ran it, but I had a problem
>>>>> while connecting through ssh. Within w3af/extras/docker/scripts/common I
>>>>> ran:
>>>>> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
>>>>> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
>>>>> I connected to the server and tried password w3af, but no success.
>>>>> Has anything changed?
>>>>> Thanks,
>>>>> Vojta
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> W3af-users mailing list
>>>>> W3a...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> W3af-users mailing list
>>> W3a...@li...
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] W3AF Docker and Windows

[Vojtěch P. <kr...@gm...>]

Hi,
it is Openssh running on Windows, so it should work.
I am passing the .prv file as an argument, I hope it is right. Is there
any other possibility to enter commands into the running container?
Thanks,
Vojta

Dne 12.11.2015 v 16:05 Andres Riancho napsal(a):
> Vojtěch,
>
> On Thu, Nov 12, 2015 at 8:47 AM, Vojtěch Polášek <kr...@gm...> wrote:
>> Greetings,
>> still no luck. Is it important to mount w3af and w3af-shared volmues to
>> be able to at least log in?
> The volumes [0] AFAIK are not required. If you don't set them w3af
> will create the /root/.w3af inside the docker file system.
>
> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/common/docker_helpers.py#L10-L11
>
>> It would be greate if someone, who is more experienced with docker,
>> could try this. I am running following commands in Powershell:
>> docker-machine start mytest
>> docker-machine env --shell=powershell mytest | Invoke-expression
>> docker run -d andresriancho/w3af
>> docker ps works correctly and displays running sshd daemon on port 22
> Looks good.
>
>> docker logs <container_id> does not show anything
>> docker top ,container_id> shows only sshd running
> Ok
>
>> When I try to run command posted in the previous mail, still receiving
>> password prompt and w3af as a password does not work.
>> Any ideas?
> Yes, I already asked: Are you sure your SSH client expects the private
> key to be set using -i ?
>
>> Thank you very much,
>> Vojta
>>
>> Dne 2.11.2015 v 21:34 Andres Riancho napsal(a):
>>> I've never done that in Windows, but it should work. You should try to
>>> follow the same steps which are outlined for Linux here [0]. I suspect
>>> you already did most of those since you found the ssh private key.
>>> It's strange that the docker image is asking you for a password if
>>> you're providing a SSH key; maybe -i is not the right flag in your ssh
>>> client?
>>>
>>> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker
>>>
>>> On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <kr...@gm...> wrote:
>>>> Hi,
>>>> does anyone here have experience running W3AF within Docker on Windows.
>>>> I installed docker, downloaded W3AF and ran it, but I had a problem
>>>> while connecting through ssh. Within w3af/extras/docker/scripts/common I
>>>> ran:
>>>> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
>>>> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
>>>> I connected to the server and tried password w3af, but no success.
>>>> Has anything changed?
>>>> Thanks,
>>>> Vojta
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> W3af-users mailing list
>>>> W3a...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-users mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

Re: [W3af-users] W3AF Docker and Windows

[Andres R. <and...@gm...>]

Vojtěch,

On Thu, Nov 12, 2015 at 8:47 AM, Vojtěch Polášek <kr...@gm...> wrote:
> Greetings,
> still no luck. Is it important to mount w3af and w3af-shared volmues to
> be able to at least log in?

The volumes [0] AFAIK are not required. If you don't set them w3af
will create the /root/.w3af inside the docker file system.

[0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/common/docker_helpers.py#L10-L11

> It would be greate if someone, who is more experienced with docker,
> could try this. I am running following commands in Powershell:
> docker-machine start mytest
> docker-machine env --shell=powershell mytest | Invoke-expression
> docker run -d andresriancho/w3af
> docker ps works correctly and displays running sshd daemon on port 22

Looks good.

> docker logs <container_id> does not show anything
> docker top ,container_id> shows only sshd running

Ok

> When I try to run command posted in the previous mail, still receiving
> password prompt and w3af as a password does not work.
> Any ideas?

Yes, I already asked: Are you sure your SSH client expects the private
key to be set using -i ?

> Thank you very much,
> Vojta
>
> Dne 2.11.2015 v 21:34 Andres Riancho napsal(a):
>> I've never done that in Windows, but it should work. You should try to
>> follow the same steps which are outlined for Linux here [0]. I suspect
>> you already did most of those since you found the ssh private key.
>> It's strange that the docker image is asking you for a password if
>> you're providing a SSH key; maybe -i is not the right flag in your ssh
>> client?
>>
>> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker
>>
>> On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <kr...@gm...> wrote:
>>> Hi,
>>> does anyone here have experience running W3AF within Docker on Windows.
>>> I installed docker, downloaded W3AF and ran it, but I had a problem
>>> while connecting through ssh. Within w3af/extras/docker/scripts/common I
>>> ran:
>>> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
>>> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
>>> I connected to the server and tried password w3af, but no success.
>>> Has anything changed?
>>> Thanks,
>>> Vojta
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> W3af-users mailing list
>>> W3a...@li...
>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] W3AF Docker and Windows

[Vojtěch P. <kr...@gm...>]

Greetings,
still no luck. Is it important to mount w3af and w3af-shared volmues to
be able to at least log in?
It would be greate if someone, who is more experienced with docker,
could try this. I am running following commands in Powershell:
docker-machine start mytest
docker-machine env --shell=powershell mytest | Invoke-expression
docker run -d andresriancho/w3af
docker ps works correctly and displays running sshd daemon on port 22
docker logs <container_id> does not show anything
docker top ,container_id> shows only sshd running
When I try to run command posted in the previous mail, still receiving
password prompt and w3af as a password does not work.
Any ideas?
Thank you very much,
Vojta

Dne 2.11.2015 v 21:34 Andres Riancho napsal(a):
> I've never done that in Windows, but it should work. You should try to
> follow the same steps which are outlined for Linux here [0]. I suspect
> you already did most of those since you found the ssh private key.
> It's strange that the docker image is asking you for a password if
> you're providing a SSH key; maybe -i is not the right flag in your ssh
> client?
>
> [0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker
>
> On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <kr...@gm...> wrote:
>> Hi,
>> does anyone here have experience running W3AF within Docker on Windows.
>> I installed docker, downloaded W3AF and ran it, but I had a problem
>> while connecting through ssh. Within w3af/extras/docker/scripts/common I
>> ran:
>> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
>> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
>> I connected to the server and tried password w3af, but no success.
>> Has anything changed?
>> Thanks,
>> Vojta
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-users mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>

Re: [W3af-users] w3af plugin timeout

[Andres R. <and...@gm...>]

Moises,

On Mon, Oct 26, 2015 at 7:46 AM, Moises Solorzano <moi...@ho...> wrote:
> Hello
>
> I have a question about the timeout of any individual plugin or in general
> on the command line.
>
> I can see that there is a timeout for the crawling (misc settings max
> discovery time), but i would like to know if w3af provides a timeout for
> specifically a plugins (audit xss for example) or for all the plugins in
> general or for a category.

The max discovery time affects all crawl/infrastructure plugins

As far as I can remember there is no way to limit the time audit
plugins take. The indirect way to do that is to lower the discovery
time; which means that there will be less URL+parameters to test,
which will take less time.

> Thank you in advance
>
> Best Regards
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] W3AF Docker and Windows

[Andres R. <and...@gm...>]

I've never done that in Windows, but it should work. You should try to
follow the same steps which are outlined for Linux here [0]. I suspect
you already did most of those since you found the ssh private key.
It's strange that the docker image is asking you for a password if
you're providing a SSH key; maybe -i is not the right flag in your ssh
client?

[0] https://github.com/andresriancho/w3af/blob/master/extras/docker/scripts/w3af_console_docker

On Mon, Nov 2, 2015 at 2:28 PM, Vojtěch Polášek <kr...@gm...> wrote:
> Hi,
> does anyone here have experience running W3AF within Docker on Windows.
> I installed docker, downloaded W3AF and ran it, but I had a problem
> while connecting through ssh. Within w3af/extras/docker/scripts/common I
> ran:
> ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
> where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
> I connected to the server and tried password w3af, but no success.
> Has anything changed?
> Thanks,
> Vojta
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] W3AF Docker and Windows

[Vojtěch P. <kr...@gm...>]

Hi,
does anyone here have experience running W3AF within Docker on Windows.
I installed docker, downloaded W3AF and ran it, but I had a problem
while connecting through ssh. Within w3af/extras/docker/scripts/common I
ran:
ssh -i w3af-docker.prv -t -t -oStrictHostKeyChecking=no ro...@xx...
where xxx.xxx.xxx.xxx was the IP address of my docker machine running.
I connected to the server and tried password w3af, but no success.
Has anything changed?
Thanks,
Vojta

[W3af-users] w3af plugin timeout

[Moises S. <moi...@ho...>]

Hello

I have a question about the timeout of any individual plugin or in general on the command line.

I can see that there is a timeout for the crawling (misc settings max discovery time), but i would like to know if w3af provides a timeout for specifically a plugins (audit xss for example) or for all the plugins in general or for a category.

Thank you in advance

Best Regards 		 	   		  

Re: [W3af-users] running W3AF on Windows

[Andres R. <and...@gm...>]

I haven't run any recent (~5 years) version of w3af in windows. Some
dependencies (the ones you mention and others) are linux/mac only. I
recommend you try boot to docker and the w3af docker image.

On Wed, Oct 21, 2015 at 12:57 PM, Vojtěch Polášek <kr...@gm...> wrote:
> Greetings,
> I am trying to get W3AF running on Windows Server 2012 64 bit. I can't
> even compile dependencies, for example pybloomfiltermmap and esmre...
> So my question is: Does anyone run W3AF on Windows? Any tips?
> Thanks,
> Vojta
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] running W3AF on Windows

[Vojtěch P. <kr...@gm...>]

Greetings,
I am trying to get W3AF running on Windows Server 2012 64 bit. I can't
even compile dependencies, for example pybloomfiltermmap and esmre...
So my question is: Does anyone run W3AF on Windows? Any tips?
Thanks,
Vojta

Re: [W3af-users] Several w3af questions and issues

[Andres R. <and...@gm...>]

Ziadmo1,

On Tue, Sep 29, 2015 at 12:35 PM, ziadmo1 . <zi...@gm...> wrote:
> Point 1)
> I will try to take a video later this week, but to reproduce the issue:
> a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new
> profile"
> b) Save new profile as Custom / Custom
> c) Dis select the Infrastructure plugin, and right click on the Custom
> profile, then "Save configuration to profile"
> d) Select any other profile on the list
> e) Come back to the Custom profile, the plugin Infrastructure is still
> selected as if it was never unchecked.

I run a-d, but then I see the expected result: the infrastructure
plugin family is disabled. This is my w3af version information:

  Python version: 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2]
  GTK version: 2.24.23
  PyGTK version: 2.24.0
  w3af version:
    w3af - Web Application Attack and Audit Framework
    Version: 1.7.6
    Revision: d7cb405316 - 09 oct 2015 21:26
    Branch: master
    Local changes: No
    Author: Andres Riancho and the w3af team.

What's yours?

> Point 3) I really wish I can contribute, but I am not a programmer :P If I
> can help with other things such as testing, I would be more than happy to do
> so.
>
> Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
> will prevent losing results of a 1-4 hours scan.

Like I said in the previous email, this is already done in the latest w3af.

> Point 5) This is an issue as I scanned a site, w3af happily took all of the
> memory available, and if I provide it with more memory, it just keep taking
> it. At some point it used 8GB of memory and w3af crashed as there was no
> more memory to consume... Ideally, w3af should be given a specified amount
> of memory, or have some configuration options to restrict the amount of
> memory it can use.

I haven't seen any tools that work like that. The fix would be to
identify the memory leak and refactor the code so that it doesn't
consume all your memory.

> Thanks for all the efforts on this project, I find w3af a great tool for the
> Security community.
>
>
>
> On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho <and...@gm...>
> wrote:
>>
>> Ziadmo,
>>
>> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . <zi...@gm...> wrote:
>> > Point 1)
>> > Not sure if its a bug or not.. When I create a custom profile (based on
>> > OWASP top 10 for example), the changes don't take effect on the newly
>> > saved
>> > custom profile. For example, if I disable "infrastructure", and I click
>> > "save configuration to profile", then I select any other profile, when I
>> > get
>> > back to the "custom" profile I just created, I still see
>> > "infrastructure" as
>> > part of that profile.
>>
>> Failed to reproduce this issue on my workstation. Using the same
>> version you're. Could you send us a detailed step by step or video to
>> better understand the problem?
>>
>>
>> > Point 2)
>> > Which plugin or option is this output generated from?
>> >
>> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
>> > form: (category, subcategory, postal_code, distance, validated,
>> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>>
>> That's generated by audit plugins. They receive a fuzzable request
>> (similar to what a browser/regular user would send) and create mutants
>> (modified, ugly versions of the original request).
>>
>> >
>> > Point 3)
>> > When I Stop the scan through w3af_gui, in the console output the core is
>> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
>> > lose all the output that I had generated so far (results, etc).
>>
>> Yep, known bug which sucks. You either wait for stop to work or
>> contribute to the project to fix the issue :)
>>
>> >
>> > Point 4)
>> > When the scan is running, I did not see the HTML output file generated
>> > under
>> > ~/ which where it usually saves it. Does it wait until the scan is
>> > completely done to save contents to it?
>>
>> Before you had to wait. In the last month I modified output plugins to
>> write stuff to disk every N seconds (not sure what N is).
>>
>> That change might be only in develop branch.
>>
>> > This is why when I do Ctrl-C on step
>> > 4 I lose all output, since there is nothing saved on the file. I would
>> > suggest creating the file as soon as the scan starts and fill it up as
>> > the
>> > scan goes so output is not lost if for whatever reason the scan takes
>> > too
>> > long or if w3af freezes for example.
>> >
>> >
>> > Point 5)
>> > Is there a way to specify how much system memory w3af_gui can use?
>>
>> No
>>
>> > Under
>> >
>> > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>> >
>> > it mentions the cache size of "10", but what does 10 refers to in terms
>> > of
>> > memory?
>>
>> There is no way to know. This is the result of parsing an HTML page.
>> HTML pages can be huge in KB, but have only 2 links and 1 form, or be
>> really compact and with thousands of links
>>
>> >
>> >
>> > I am using Version 1.7.6 through Kali Linux 2.0.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > W3af-users mailing list
>> > W3a...@li...
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-users] Several w3af questions and issues

[ziadmo1 . <zi...@gm...>]

Point 1)
I will try to take a video later this week, but to reproduce the issue:
a) Select the OWASP_TOP10 profile, right click, "Save configuration to a
new profile"
b) Save new profile as Custom / Custom
c) Dis select the Infrastructure plugin, and right click on the Custom
profile, then "Save configuration to profile"
d) Select any other profile on the list
e) Come back to the Custom profile, the plugin Infrastructure is still
selected as if it was never unchecked.

Point 3) I really wish I can contribute, but I am not a programmer :P If I
can help with other things such as testing, I would be more than happy to
do so.

Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
will prevent losing results of a 1-4 hours scan.

Point 5) This is an issue as I scanned a site, w3af happily took all of the
memory available, and if I provide it with more memory, it just keep taking
it. At some point it used 8GB of memory and w3af crashed as there was no
more memory to consume... Ideally, w3af should be given a specified amount
of memory, or have some configuration options to restrict the amount of
memory it can use.

Thanks for all the efforts on this project, I find w3af a great tool for
the Security community.



On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho <and...@gm...>
wrote:

> Ziadmo,
>
> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . <zi...@gm...> wrote:
> > Point 1)
> > Not sure if its a bug or not.. When I create a custom profile (based on
> > OWASP top 10 for example), the changes don't take effect on the newly
> saved
> > custom profile. For example, if I disable "infrastructure", and I click
> > "save configuration to profile", then I select any other profile, when I
> get
> > back to the "custom" profile I just created, I still see
> "infrastructure" as
> > part of that profile.
>
> Failed to reproduce this issue on my workstation. Using the same
> version you're. Could you send us a detailed step by step or video to
> better understand the problem?
>
>
> > Point 2)
> > Which plugin or option is this output generated from?
> >
> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
> > form: (category, subcategory, postal_code, distance, validated,
> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>
> That's generated by audit plugins. They receive a fuzzable request
> (similar to what a browser/regular user would send) and create mutants
> (modified, ugly versions of the original request).
>
> >
> > Point 3)
> > When I Stop the scan through w3af_gui, in the console output the core is
> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
> > lose all the output that I had generated so far (results, etc).
>
> Yep, known bug which sucks. You either wait for stop to work or
> contribute to the project to fix the issue :)
>
> >
> > Point 4)
> > When the scan is running, I did not see the HTML output file generated
> under
> > ~/ which where it usually saves it. Does it wait until the scan is
> > completely done to save contents to it?
>
> Before you had to wait. In the last month I modified output plugins to
> write stuff to disk every N seconds (not sure what N is).
>
> That change might be only in develop branch.
>
> > This is why when I do Ctrl-C on step
> > 4 I lose all output, since there is nothing saved on the file. I would
> > suggest creating the file as soon as the scan starts and fill it up as
> the
> > scan goes so output is not lost if for whatever reason the scan takes too
> > long or if w3af freezes for example.
> >
> >
> > Point 5)
> > Is there a way to specify how much system memory w3af_gui can use?
>
> No
>
> > Under
> >
> http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
> >
> > it mentions the cache size of "10", but what does 10 refers to in terms
> of
> > memory?
>
> There is no way to know. This is the result of parsing an HTML page.
> HTML pages can be huge in KB, but have only 2 links and 1 form, or be
> really compact and with thousands of links
>
> >
> >
> > I am using Version 1.7.6 through Kali Linux 2.0.
> >
> >
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > W3af-users mailing list
> > W3a...@li...
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>

Re: [W3af-users] Several w3af questions and issues

[Andres R. <and...@gm...>]

Ziadmo,

On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . <zi...@gm...> wrote:
> Point 1)
> Not sure if its a bug or not.. When I create a custom profile (based on
> OWASP top 10 for example), the changes don't take effect on the newly saved
> custom profile. For example, if I disable "infrastructure", and I click
> "save configuration to profile", then I select any other profile, when I get
> back to the "custom" profile I just created, I still see "infrastructure" as
> part of that profile.

Failed to reproduce this issue on my workstation. Using the same
version you're. Could you send us a detailed step by step or video to
better understand the problem?


> Point 2)
> Which plugin or option is this output generated from?
>
> Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
> form: (category, subcategory, postal_code, distance, validated,
> form_build_id, form_id, op)" (post data: 24, query string: 3)

That's generated by audit plugins. They receive a fuzzable request
(similar to what a browser/regular user would send) and create mutants
(modified, ugly versions of the original request).

>
> Point 3)
> When I Stop the scan through w3af_gui, in the console output the core is
> still running, and therefore I am forced to hit Ctrl-C.. At that point I
> lose all the output that I had generated so far (results, etc).

Yep, known bug which sucks. You either wait for stop to work or
contribute to the project to fix the issue :)

>
> Point 4)
> When the scan is running, I did not see the HTML output file generated under
> ~/ which where it usually saves it. Does it wait until the scan is
> completely done to save contents to it?

Before you had to wait. In the last month I modified output plugins to
write stuff to disk every N seconds (not sure what N is).

That change might be only in develop branch.

> This is why when I do Ctrl-C on step
> 4 I lose all output, since there is nothing saved on the file. I would
> suggest creating the file as soon as the scan starts and fill it up as the
> scan goes so output is not lost if for whatever reason the scan takes too
> long or if w3af freezes for example.
>
>
> Point 5)
> Is there a way to specify how much system memory w3af_gui can use?

No

> Under
> http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>
> it mentions the cache size of "10", but what does 10 refers to in terms of
> memory?

There is no way to know. This is the result of parsing an HTML page.
HTML pages can be huge in KB, but have only 2 links and 1 form, or be
really compact and with thousands of links

>
>
> I am using Version 1.7.6 through Kali Linux 2.0.
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Several w3af questions and issues

[ziadmo1 . <zi...@gm...>]

*Point 1) *
Not sure if its a bug or not.. When I create a custom profile (based on
OWASP top 10 for example), the changes don't take effect on the newly saved
custom profile. For example, if I disable "infrastructure", and I click
"save configuration to profile", then I select any other profile, when I
get back to the "custom" profile I just created, I still see
"infrastructure" as part of that profile.


*Point 2) *
Which plugin or option is this output generated from?

Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
form: (category, subcategory, postal_code, distance, validated,
form_build_id, form_id, op)" (post data: 24, query string: 3)


*Point 3) *
When I Stop the scan through w3af_gui, in the console output the core is
still running, and therefore I am forced to hit Ctrl-C.. At that point I
lose all the output that I had generated so far (results, etc).


*Point 4)*
When the scan is running, I did not see the HTML output file generated
under ~/ which where it usually saves it. Does it wait until the scan is
completely done to save contents to it? This is why when I do Ctrl-C on
step 4 I lose all output, since there is nothing saved on the file. I would
suggest creating the file as soon as the scan starts and fill it up as the
scan goes so output is not lost if for whatever reason the scan takes too
long or if w3af freezes for example.


*Point 5) *
Is there a way to specify how much system memory w3af_gui can use?

Under
http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory

it mentions the cache size of "10", but what does 10 refers to in terms of
memory?



I am using Version 1.7.6 through Kali Linux 2.0.

[W3af-users] re-loading results back into w3af?

[Joseph S. <jos...@ya...>]

Hello,
After I perform a scan, I would like to share my results with others on my team.  The HTML output doesn't seem very organized, and it's hard to go directly to the more severe alerts (it would be nice if there was an index or anchors in the output to allow one to go directly to various sections).  But the results in the w3af GUI itself look great.  Is there a way to save the results to a file, and re-load them on a different system running w3af to share the results with others?
Thanks!
Regards,Joseph Spenner If life gives you lemons, keep them-- because hey.. free lemons. "~heart~ Sticker"  fixer:  http://microflush.org/stuff/stickers/heartFix.html

[W3af-users] Fwd: W3af questions

[胡朕铭 <huz...@gm...>]

Hi w3af

        I am a star, I am from China  When I was in deployment w3af - webui
met a thorny problem Error is as follows:



​
    Hope to get help, thank you!

[W3af-users] Twitter: @w3af

[Andres R. <and...@gm...>]

List,

    Just noticed that less than half the features I work on get
announced on the mailing list, but I tweet about almost all of them.
If you want to get the whole w3af news feed please follow me on
twitter!

    @w3af
    https://twitter.com/w3af

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] New feature: Self contained profiles

[Andres R. <and...@gm...>]

List,

    I've been working on a new feature during the last hours: Self
contained profiles. The basic idea is that you're now able to save the
profile (with all the referenced files) in one file. This is useful
for sharing your complex configurations with others as well as running
scans using the REST API.

    More information about the new feature at [0]

    If you're interested to test this feature please use the develop branch:

git clone gi...@gi...:andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

    Please report any bugs and issues at [1]

[0] http://docs.w3af.org/en/develop/basic-ui.html#saving-the-configuration
[1] https://github.com/andresriancho/w3af/issues/new

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] w3af REST API feature requests

[Andres R. <and...@gm...>]

Lists,

    The REST API milestone for w3af is coming to an end, the only
pending feature is "Expose plugin and core (misc|http) configuration"
[0] and OwenTuz is already working on it. Before I move to other
things... any feature requests for the REST API?

[0] https://github.com/andresriancho/w3af/issues/10616

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] w3af - Opportunity to contribute

[Andres R. <and...@gm...>]

Here are two easy tickets you can solve, it's your opportunity to
contribute with w3af!
    https://github.com/andresriancho/w3af/issues/10980
    https://github.com/andresriancho/w3af/issues/9011
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] w3af REST API: Done!

[Andres R. <and...@gm...>]

List,

    Yesterday I completed the development of the REST API for w3af :)
The documentation can be found here [0] and the code is ready to use
in the develop branch:

    git clone https://github.com/andresriancho/w3af.git
    cd w3af
    git checkout develop

    Before merging it to the master branch I would love to hear your
opinions, bug reports, etc. Thanks!

[0] http://docs.w3af.org/en/develop/api/index.html

PS: Adding to CC some people which were interested in this feature

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Crawl import issue

[Mohammad A. <al...@ya...>]

Hello all,
I have been testing the console version and discovered few areas that’s not working for me. It is possible that I am doing something wrong and wanted to reach out to you all. The application I am testing is very dynamic, almost entire UI is generated via JavaScript. Therefore, I had to use spiderman to generate a list of requests to feed the other plugins (i.e., audit, grep). I have used Cookie jar for authenticated access to bypass login issue (too complex with too many re-directs, csrf tokens). The commands are listed below. Here’s what’s not working:
1.       Crawl import doesn’t seem to import the requests. I have not seen anything in the debug log to indicate otherwise.
2.       The fuzz parameters don’t seem to do anything. I confirmed by running with and without the fuzz parameters. My expectation was the imported file (generated via spiderman) will be leveraged for the fuzz requests.
 
I am unable to share actual log files due to confidentiality requirement. Any help would be much appreciated!
 
*****
plugins
 
crawl config import_results
set input_csv /home/cay/in.csv
back
 
infrastructure afd,allowed_methods,fingerprint_os,server_header 
audit all,!memcachei,!preg_replace
grep all
 
 
output console,text_file,html_file
output config text_file
set output_file /home/cay/output.txt
set http_output_file /home/cay/o
set verbose True
back
output config console
set verbose True
back
 
output config html_file
set verbose False 
set template /home/cay/complete.html
set output_file /home/cay/o.html
back
 
output config export_requests
set output_file /home/cay/out.csv
back
back
http-settings
set cookie_jar_file /home/cay/cookie7
back
 
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
 
back
target
set target <url>
 
back
cleanup
start
exit

Re: [W3af-users] Didn't get it right letting W3AF ignore some URLs by confuring ignore_regex

[Andres R. <and...@gm...>]

Christian,

On Mon, Jun 1, 2015 at 6:33 AM,  <spa...@gm...> wrote:
> Hello,
>
> I didn't get it right to ignore some URLs during evaluation of a target webapp.
> Let's say the target URL should be
>
>     http://test.host/foo/bar/index.html
>
> On this entry site there are two links (among others) which should NOT be considered for further investigation by W3AF:
>
>     http://test.host/foo/search/
>     http://test.host/print.html
>
> I didn't get it right yet trying for instance:
>
>     set ignore_regex .*(search|print\.html)$
>
> or (to get rid of at least the first link)
>
>     set ignore_regex .*search.*
>
> or even (trying to match the second URL to ignore)
>
>     set ignore_regex .*print\.html$
>
> But W3AF always comes up with timeouts regarding both of the two URLs (the target webapp is running in a special test environment where the mentioned links are not backed by a responding application); it also lists the links in the report's section "URLs found during application scan".
>
> What am I doing wrong here? I've tested the regular expressions for compatibility issues regarding PERL's syntax etc. here:
>
>     http://www.pythonregex.com/
>
> Thank you for any kind of help.

The regular expressions look good. Some ideas about what might be going on:

 * These regular expressions only apply to the web spider [0]. If you
have other plugins enabled and those plugins find the URLs then they
will be crawled. If I don't remember incorrectly there is a
framework-wide setting called non-target to avoid visiting a URL with
ANY plugin

 * You might add some print statements around these lines [1] to
understand what's going on

[0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py
[1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/crawl/web_spider.py#L283-L287

Regards,

> Christian
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[W3af-users] Didn't get it right letting W3AF ignore some URLs by confuring ignore_regex

[<spa...@gm...>]

Hello,
 
I didn't get it right to ignore some URLs during evaluation of a target webapp.
Let's say the target URL should be

    http://test.host/foo/bar/index.html
 
On this entry site there are two links (among others) which should NOT be considered for further investigation by W3AF:

    http://test.host/foo/search/
    http://test.host/print.html
 
I didn't get it right yet trying for instance:

    set ignore_regex .*(search|print\.html)$

or (to get rid of at least the first link)

    set ignore_regex .*search.*

or even (trying to match the second URL to ignore)

    set ignore_regex .*print\.html$
 
But W3AF always comes up with timeouts regarding both of the two URLs (the target webapp is running in a special test environment where the mentioned links are not backed by a responding application); it also lists the links in the report's section "URLs found during application scan".
 
What am I doing wrong here? I've tested the regular expressions for compatibility issues regarding PERL's syntax etc. here:

    http://www.pythonregex.com/
 
Thank you for any kind of help.
 
Christian
 
 

[W3af-users] Impressive memory usage improvements

[Andres R. <and...@gm...>]

List,

    Just wanted to let you guys know that after a long fight with lxml
I've been able to improve w3af's memory usage in an almost incredible
way. As seen here [0]

Performance profiling of new develop branch (ab428c5):
 * PSUtils measurement 25 (after 45 minutes of scan): 118.9 MB RSS
 * Requests sent: 23955

Performance profiling of new develop branch (e32e529):
 * PSUtils measurement 24 (after 45 minutes of scan): 1.2 GB RSS
 * Requests sent: 23137

    1.2GB vs. 119 MB. Not bad!

    If you've got some spare minutes give the latest w3af (from the
develop branch) a try!

[0] https://github.com/andresriancho/w3af/issues/9990

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3