w3af-users Mailing List for w3af (Page 6)
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
w3af-users — User mailing list
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(6) |
Jul
(11) |
Aug
|
Sep
(9) |
Oct
(40) |
Nov
(20) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(77) |
Feb
(36) |
Mar
(54) |
Apr
(142) |
May
(37) |
Jun
(37) |
Jul
(71) |
Aug
(44) |
Sep
(15) |
Oct
(85) |
Nov
(61) |
Dec
(68) |
| 2009 |
Jan
(44) |
Feb
(41) |
Mar
(55) |
Apr
(18) |
May
(52) |
Jun
(51) |
Jul
(32) |
Aug
(21) |
Sep
(22) |
Oct
(28) |
Nov
(30) |
Dec
(11) |
| 2010 |
Jan
(6) |
Feb
(39) |
Mar
(28) |
Apr
(13) |
May
(29) |
Jun
(14) |
Jul
(28) |
Aug
(25) |
Sep
(19) |
Oct
(38) |
Nov
(40) |
Dec
(31) |
| 2011 |
Jan
(34) |
Feb
(36) |
Mar
(23) |
Apr
(27) |
May
(32) |
Jun
(48) |
Jul
(17) |
Aug
(25) |
Sep
(13) |
Oct
(16) |
Nov
(42) |
Dec
(39) |
| 2012 |
Jan
(15) |
Feb
(32) |
Mar
(37) |
Apr
(49) |
May
(10) |
Jun
(14) |
Jul
(9) |
Aug
(31) |
Sep
(27) |
Oct
(15) |
Nov
(24) |
Dec
(10) |
| 2013 |
Jan
(4) |
Feb
(33) |
Mar
(33) |
Apr
(31) |
May
(16) |
Jun
(31) |
Jul
(12) |
Aug
(43) |
Sep
(6) |
Oct
(21) |
Nov
(24) |
Dec
(15) |
| 2014 |
Jan
(8) |
Feb
(9) |
Mar
(42) |
Apr
(40) |
May
(37) |
Jun
(15) |
Jul
(30) |
Aug
(8) |
Sep
(20) |
Oct
(7) |
Nov
(1) |
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
(11) |
Mar
(2) |
Apr
|
May
(3) |
Jun
(4) |
Jul
|
Aug
(5) |
Sep
(4) |
Oct
(4) |
Nov
(12) |
Dec
(11) |
| 2016 |
Jan
(5) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(2) |
Jul
(2) |
Aug
|
Sep
(17) |
Oct
(16) |
Nov
(7) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(2) |
Apr
(6) |
May
(4) |
Jun
|
Jul
|
Aug
(2) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(3) |
Jun
(4) |
Jul
|
Aug
|
Sep
(2) |
Oct
(3) |
Nov
|
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Andres R. <and...@gm...> - 2015-05-15 15:05:02
|
On Thu, May 14, 2015 at 11:28 AM, Shafeeque O.K [gmail] <sha...@gm...> wrote: > Hello, > > Is it possible for w3af to find web application vulnerabilities of CMS like > Joomla, Word Press? Yes > If so what are the plugin need to enabled. All audit plugins > Alos let me know > > Is there a way to get the scanning staus of W3af, and HTTP requests send by > w3af, so that it can be displayed to end user in real time. Yes, from the command line you can press "enter" and stats should be shown > We are trying to package w3af in our custom application. Then you'll have to read the code my friend. > Kindly clarify > > > Regards, > Shafeeque Olassery Kunnikkal C|EH,E|CSA,C|HFI,C|EI,MCP > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Shafeeque O.K [gmail] <sha...@gm...> - 2015-05-14 14:28:50
|
Hello, Is it possible for w3af to find web application vulnerabilities of CMS like Joomla, Word Press? If so what are the plugin need to enabled. Alos let me know Is there a way to get the scanning staus of W3af, and HTTP requests send by w3af, so that it can be displayed to end user in real time. We are trying to package w3af in our custom application. Kindly clarify Regards, Shafeeque Olassery Kunnikkal C|EH,E|CSA,C|HFI,C|EI,MCP |
|
From: Andres R. <and...@gm...> - 2015-03-04 16:39:24
|
Manori, On Wed, Mar 4, 2015 at 1:31 AM, Manori Wijesooriya <ma...@or...> wrote: > Hi... > > I'm a QA Engineer and doing a research on Security Testing. I found that > w3af is a very good tool which supports for so many vulnerability types and > authenticated tests as well. > I just tried the tool for testing CSRF attacks in a web application and same > application was tested with Tamper Data firefox add-on as well (need to test > page by page manually). I'm happy to say that I got the results almost > similar in both the tools. All sounds good! Happy to hear you're using w3af, > My intention was to evaluate w3af in order to get it adopted to our security > testing process and reduce the time taken for testing with Tamper tool. > Seems my evaluation got succeeded with positive results and seems we can use > w3af instead of Tamper Data and reduce lot of time. > > I used w3af with spider_man plugin and accessed the system manually and let > the tool run for auditing CSRF. That's a good practice, yes. > However, here we are having monthly releases and have to do the same testing > every month. In that case do I need to enable spider_man plugin and access > the whole system manually for each time? Isn't there a way to do this only > one time and get the urls saved and reuse them? Crawling can be an expensive process, which in some cases requires manual intervention (spider man plugin). In order to save all the URLs found during a scan it's possible to use the output.export_requests plugin which will write the URLs to a user configured file. Loading the saved data is achieved using the import_results plugin, which reads all the information and feeds it into w3af's core. Just added those two paragraphs to the docs [0], thanks for mentioning that it wasn't documented. My only extra comment is that by using this method you're missing on all the new URLs which might be added between releases. Another way to achieve the same would be to configure your automated tests (which might use Selenium or similar technology) to use spider_man as a proxy. That will feed all the URLs to spider_man automagically. [0] https://github.com/andresriancho/w3af/blob/develop/doc/sphinx/common-use-cases.rst#saving-urls-and-using-them-as-input-for-other-scans > Even though there are lots of tutorials and mailing lists over the internet, > couldn't find an answer for this. Please be kind enough to help me and let > me know whether this is possible with w3af. Thanks in advance. > > > Regards, > -- > > Manori Wijesooriya > QA Engineer | OrangeHRM Inc. > > www.orangehrm.com | www.orangehrmlive.com > Twitter | LinkedIn | Facebook > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Manori W. <ma...@or...> - 2015-03-04 05:26:33
|
Hi... I'm a QA Engineer and doing a research on Security Testing. I found that w3af is a very good tool which supports for so many vulnerability types and authenticated tests as well. I just tried the tool for testing CSRF attacks in a web application and same application was tested with Tamper Data firefox add-on as well (need to test page by page manually). I'm happy to say that I got the results almost similar in both the tools. My intention was to evaluate w3af in order to get it adopted to our security testing process and reduce the time taken for testing with Tamper tool. Seems my evaluation got succeeded with positive results and seems we can use w3af instead of Tamper Data and reduce lot of time. I used w3af with spider_man plugin and accessed the system manually and let the tool run for auditing CSRF. However, here we are having monthly releases and have to do the same testing every month. In that case do I need to enable spider_man plugin and access the whole system manually for each time? Isn't there a way to do this only one time and get the urls saved and reuse them? Even though there are lots of tutorials and mailing lists over the internet, couldn't find an answer for this. Please be kind enough to help me and let me know whether this is possible with w3af. Thanks in advance. Regards, -- *Manori Wijesooriya*QA Engineer | *OrangeHRM Inc.* www.orangehrm.com | www.orangehrmlive.com Twitter <http://twitter.com/#%21/search/orangehrm> | LinkedIn <http://www.linkedin.com/groups?gid=891077&trk=hb_side_g>* | *Facebook <http://www.facebook.com/OrangeHRM> |
|
From: Andres R. <and...@gm...> - 2015-02-26 14:15:03
|
List,
Just released 1.6.45 [0] which includes a ton of improvements:
* HTTP response parsers are now run in a different process
* Added support for SSL's SNI using OpenSSL
* Added support for scanning servers with specific SSL protocols
disabled (poodle)
* Added new platforms to the dependency check
* Run w3af inside docker
* Updated sqlmap
* Performance improvements in core classes
* Improved profiling capabilities (internal use only)
* Improved exception handling to catch more descriptive tracebacks
* Added new plugins for web sockets and RFD
* Better error handling for HTTP requests
* Huge reducion of memory usage in phishtank plugin
* >100 bugs fixed
You can get this by doing:
cd w3af/
git pull
./w3af_console
Most likely you'll have to update some pip and OS packages, after
that you're good to go. Let me know how it goes and as usual report
all the bugs here [1]
[0] https://github.com/andresriancho/w3af/releases/tag/1.6.45
[1] https://github.com/andresriancho/w3af/issues/new
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Carlos P. <car...@ya...> - 2015-02-19 18:32:00
|
Me faltaba la cita
State of the Art Infrastructure
State of the art infrastructure with the latest software tools to ensure a comprehensive learning experience.
Quizás les falta CSK
On Thursday, February 19, 2015 3:28 PM, Carlos Pantelides <car...@ya...> wrote:
> Hi
>
> Require an immediate support.
Parece que tienen un curso comprometido de EH y les falta una herramienta, jaja. ¿Cuál era la definición de hacker? ¿Algo que ver con que se las puede arreglar solito, no?
Español a propósito
Charly
|
|
From: Carlos P. <car...@ya...> - 2015-02-19 18:28:55
|
> Hi > > Require an immediate support. Parece que tienen un curso comprometido de EH y les falta una herramienta, jaja. ¿Cuál era la definición de hacker? ¿Algo que ver con que se las puede arreglar solito, no? Español a propósito Charly |
|
From: Andres R. <and...@gm...> - 2015-02-19 11:55:41
|
Miguel,
Please read inline,
On Thu, Feb 19, 2015 at 5:49 AM, Miguel Ángel Martínez Martínez
<mig...@ho...> wrote:
> Hallo!,
>
> I am a beginner user regarding W3af. I am scanning several external web
> pages with the following configuration:
>
> profile: full_audit / OWASP_TOP10
> max_requests_per_second: 2
That's REALLY LOW, 2 requests per second is going to slow down the
scan horribly.
> 1. The scan of a specific web page takes a lot to finish and in the end,
> this error happens:
>
> Database disk image is malformed
Are you able to reproduce this every time you run the scan? If so,
please follow this [0] guide to report a bug with all the info we'll
need to fix it
[0] http://docs.w3af.org/en/latest/report-a-bug.html
> As a result, the html report has no content.
>
> 2. The scan of another web page finishes very quickly (it takes less than a
> minute), but I am afraid that it's being blocked.
>
> **IMPORTANT** The following error was detected by w3af and couldn't be
> resolved: w3af found too many consecutive errors while performing HTTP
> requests. In most cases this means that the remote web server is not
> reachable anymore, the network is down, or a WAF is blocking our tests. The
> last error message was "HTTP timeout error after 10.0 seconds."
>
> How can I try to evade the system that is blocking the test?
If it finishes so quickly the remote system might be blocking
connections based on the user agent, you can try to change that in
w3af's configuration.
> Thanks & regards.
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Miguel Á. M. M. <mig...@ho...> - 2015-02-19 08:49:46
|
Hallo!, I am a beginner user regarding W3af. I am scanning several external web pages with the following configuration: profile: full_audit / OWASP_TOP10 max_requests_per_second: 2 1. The scan of a specific web page takes a lot to finish and in the end, this error happens: Database disk image is malformed As a result, the html report has no content. 2. The scan of another web page finishes very quickly (it takes less than a minute), but I am afraid that it's being blocked. **IMPORTANT** The following error was detected by w3af and couldn't be resolved: w3af found too many consecutive errors while performing HTTP requests. In most cases this means that the remote web server is not reachable anymore, the network is down, or a WAF is blocking our tests. The last error message was "HTTP timeout error after 10.0 seconds." How can I try to evade the system that is blocking the test? Thanks & regards. |
|
From: Hussam <hus...@gm...> - 2015-02-18 11:50:18
|
Andres Riancho <andres.riancho@...> writes: > > Hussam, > > Which w3af version are you using? Could you please run these > commands and send us the output? > > ./w3af_console --version > > git rev-parse HEAD > > On Sun, Feb 8, 2015 at 9:17 AM, Hussam Alamza <eng.hussam.dh <at> gmail.com> wrote: > > Hello people, > > after the succession in fulfilling all w3af desires of python > > packages, now I am getting the following error when running > > w3af_console (in centos 6.6): > > > > Error while reading plugin options: > > "Failed to get an instance of "phpinfo". Original exception: > > "__init__() got an unexpected keyword argument 'table_prefix'". > > Traceback for this error: Traceback (most recent call last): > > File "/root/w3af/w3af/ core/controllers/misc/ factory.py", line 62, in factory > > inst = a_class(*args) > > File "/root/w3af/w3af/ plugins/crawl/phpinfo.py", line 54, in __init__ > > self._analyzed_dirs = DiskSet(table_prefix='phpinfo') > > TypeError: __init__() got an unexpected keyword argument 'table_prefix' > > " > > > > so any help with this would be appreciable. > > Thank you in advance > > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming. The Go Parallel Website, > > sponsored by Intel and developed in partnership with Slashdot Media, is your > > hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials and more. Take a > > look and join the conversation now. http:// goparallel.sourceforge.net/ > > _______________________________________________ > > W3af-users mailing list > > W3af-users <at> lists.sourceforge.net > > https:// lists.sourceforge.net/lists/ listinfo/w3af-users > thank you sir the problem is solved now i just recloned the w3af git repository and all working now |
|
From: Andres R. <and...@gm...> - 2015-02-17 13:32:53
|
Shafeeque, On Tue, Feb 17, 2015 at 5:55 AM, Shafeeque O.K [gmail] <sha...@gm...> wrote: > Hi > > Require an immediate support. Hahaha, this is not a product for which you get a support 1-800 number, anyways, some comments below. > Unable to install w3af in kali - 1.1.0 > > Error: > Your python installation needs the following modules to run w3af: > git.util scapy.config > > After installing any missing operating system packages, use pip to install > the remaining modules: > sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev > A script with these commands has been created for you at > /tmp/w3af_dependency_install.sh > > My system configurations are given below. > > lsb_release -a > No LSB modules are available. > Distributor ID: Kali > Description: Kali GNU/Linux 1.1.0 > Release: 1.1.0 > > codename : moto > > pip freeze | grep futures > > futures==2.1.5 > > pip freeze | grep git > gitdb==0.6.4 > > python --version > Python 2.7.3 > > content of /tmp/w3af_dependency_install.sh > > #!/bin/bash > sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev > > Please support. You never tell which version of w3af you're trying to install. Here are some options: * apt-get install w3af , that command will install w3af in Kali for you. It's not the latest and greatest but it should work well for most cases. * Download the latest from our repository. You can use the master or develop branch, the commands here [0] might help you install the develop branch. [0] http://w3af.org/testing-before-mondays-release Regards, > > Regards, > Shafeeque Olassery Kunnikkal C|EH,C|EI > Graytips Cyber Technologies | www.graytips.com > > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Shafeeque O.K [gmail] <sha...@gm...> - 2015-02-17 08:56:04
|
Hi Require an immediate support. Unable to install w3af in kali - 1.1.0 Error: Your python installation needs the following modules to run w3af: git.util scapy.config After installing any missing operating system packages, use pip to install the remaining modules: sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev A script with these commands has been created for you at /tmp/w3af_dependency_install.sh My system configurations are given below. lsb_release -a No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux 1.1.0 Release: 1.1.0 codename : moto pip freeze | grep futures futures==2.1.5 pip freeze | grep git gitdb==0.6.4 python --version Python 2.7.3 content of /tmp/w3af_dependency_install.sh #!/bin/bash sudo pip install GitPython==0.3.2.RC1 scapy-real==2.2.0-dev Please support. Regards, Shafeeque Olassery Kunnikkal C|EH,C|EI Graytips Cyber Technologies | www.graytips.com |
|
From: Andres R. <and...@gm...> - 2015-02-16 22:23:47
|
Hussam,
Which w3af version are you using? Could you please run these
commands and send us the output?
./w3af_console --version
git rev-parse HEAD
On Sun, Feb 8, 2015 at 9:17 AM, Hussam Alamza <eng...@gm...> wrote:
> Hello people,
> after the succession in fulfilling all w3af desires of python
> packages, now I am getting the following error when running
> w3af_console (in centos 6.6):
>
> Error while reading plugin options:
> "Failed to get an instance of "phpinfo". Original exception:
> "__init__() got an unexpected keyword argument 'table_prefix'".
> Traceback for this error: Traceback (most recent call last):
> File "/root/w3af/w3af/core/controllers/misc/factory.py", line 62, in factory
> inst = a_class(*args)
> File "/root/w3af/w3af/plugins/crawl/phpinfo.py", line 54, in __init__
> self._analyzed_dirs = DiskSet(table_prefix='phpinfo')
> TypeError: __init__() got an unexpected keyword argument 'table_prefix'
> "
>
> so any help with this would be appreciable.
> Thank you in advance
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Hussam A. <eng...@gm...> - 2015-02-08 12:17:25
|
Hello people,
after the succession in fulfilling all w3af desires of python
packages, now I am getting the following error when running
w3af_console (in centos 6.6):
Error while reading plugin options:
"Failed to get an instance of "phpinfo". Original exception:
"__init__() got an unexpected keyword argument 'table_prefix'".
Traceback for this error: Traceback (most recent call last):
File "/root/w3af/w3af/core/controllers/misc/factory.py", line 62, in factory
inst = a_class(*args)
File "/root/w3af/w3af/plugins/crawl/phpinfo.py", line 54, in __init__
self._analyzed_dirs = DiskSet(table_prefix='phpinfo')
TypeError: __init__() got an unexpected keyword argument 'table_prefix'
"
so any help with this would be appreciable.
Thank you in advance
|
|
From: Andres R. <and...@gm...> - 2015-02-04 21:17:25
|
List,
I'm near a rather big merge from the develop branch into master,
that means that in a while most of you will get a message asking if
you want to update your w3af installs or not.
This is great!, but before doing it I want a few of you to test
the develop branch and report any issues you find. More information
about testing can be found here [0], but the main steps are:
cd ~
apt-get install -y python-pip # This step might change in your OS
pip install --upgrade pip
pip install virtualenv
mkdir w3af-release
cd w3af-release
virtualenv --system-site-packages venv
. venv/bin/activate
git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_gui
. /tmp/w3af_dependency_install.sh
After that, please run a scan :) Any bugs in the installation,
scan, etc. should go here [1].
Thanks!
[0] http://w3af.org/testing-before-mondays-release
[1] https://github.com/andresriancho/w3af/issues/new
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Sergey <w3...@ko...> - 2015-01-19 12:36:03
|
On 19.01.2015 15:12, Andres Riancho wrote: > Sergey, > > On Mon, Jan 19, 2015 at 8:12 AM, Sergey <w3...@ko...> wrote: >> Hi, everyone. >> >> I'm trying to execute w3af scans of multiple domains in parallel with >> multiprocessing package http://pastebin.com/ha2K4NCP >> >> This script fails with AssertionError: No calls to SQLiteDBMS can be >> made after stop(). >> http://pastebin.com/G7vS63TG > > There are parts of w3af which are run at module import (things such as > the default database singleton), so you might want to move the line > "from w3af.core.controllers.w3afCore import w3afCore" inside the > multiprocessing target function Thank you, Andres. Your solution works just fine. >> If I switch to multiprocessing.dummy (threads), script seems to work. > > Yes, that's because that uses threads, which share the same singleton > >> But I want to execute scans in isolation, that's why I'm trying to use >> processes not threads. >> >> Is there some issue which prevents such usage of w3af library? >> >> And btw why does w3af forbid scanning of multiple domains? "You >> specified more than one target domain: ... And w3af can only scan one >> target domain at a time." > > Yes, this is an architectural decision. If you want to discuss this in > depth, have good reasons and want to spend time with a pull-request, I > might be open to accepting/merging it. I think I don't know w3af code good enough to make such proposals yet. |
|
From: Andres R. <and...@gm...> - 2015-01-19 12:13:23
|
Sergey, On Mon, Jan 19, 2015 at 8:12 AM, Sergey <w3...@ko...> wrote: > Hi, everyone. > > I'm trying to execute w3af scans of multiple domains in parallel with > multiprocessing package http://pastebin.com/ha2K4NCP > > This script fails with AssertionError: No calls to SQLiteDBMS can be > made after stop(). > http://pastebin.com/G7vS63TG There are parts of w3af which are run at module import (things such as the default database singleton), so you might want to move the line "from w3af.core.controllers.w3afCore import w3afCore" inside the multiprocessing target function > If I switch to multiprocessing.dummy (threads), script seems to work. Yes, that's because that uses threads, which share the same singleton > But I want to execute scans in isolation, that's why I'm trying to use > processes not threads. > > Is there some issue which prevents such usage of w3af library? > > And btw why does w3af forbid scanning of multiple domains? "You > specified more than one target domain: ... And w3af can only scan one > target domain at a time." Yes, this is an architectural decision. If you want to discuss this in depth, have good reasons and want to spend time with a pull-request, I might be open to accepting/merging it. > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Sergey <w3...@ko...> - 2015-01-19 11:34:47
|
Hi, everyone. I'm trying to execute w3af scans of multiple domains in parallel with multiprocessing package http://pastebin.com/ha2K4NCP This script fails with AssertionError: No calls to SQLiteDBMS can be made after stop(). http://pastebin.com/G7vS63TG If I switch to multiprocessing.dummy (threads), script seems to work. But I want to execute scans in isolation, that's why I'm trying to use processes not threads. Is there some issue which prevents such usage of w3af library? And btw why does w3af forbid scanning of multiple domains? "You specified more than one target domain: ... And w3af can only scan one target domain at a time." |
|
From: Andres R. <and...@gm...> - 2014-12-31 20:02:51
|
List,
In some specific cases w3af hangs and the scan never finishes, one
of those cases was reported here [0] and today I was able to
(hopefully) fix it. It seems that the issue was the PDF parser we are
using, which has an endless loop.
We could try to fix the third party library, but in the future
they (or other third party lib) or even w3af's code might introduce
another of those ugly bugs, so I decided to add some timeouts here [1]
and there [2] to limit the amount of time that plugins and parsers can
run. The time limitation is rather high, so it should only be
triggered when something is really wrong.
If you've got some minutes during the holidays and want to
contribute with some testing please
cd w3af
git pull
git checkout feature/stopit
./w3af_console
# update pip
# install new dependency
./w3af_console
Run a couple of scans and let me know if something is really
wrong. Thanks and happy 2015!
[0] https://github.com/andresriancho/w3af/issues/6723
[1] https://github.com/andresriancho/w3af/commit/735a3ed29378c430900254d66ca3f59ad366502f
[2] https://github.com/andresriancho/w3af/commit/c5be6aac0657fe4c77e2e80cf726d58b2ccaa9d7
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-11-02 19:50:31
|
Ali, On Fri, Oct 31, 2014 at 12:24 PM, Ali Khalfan <ali...@gm...> wrote: > Whilte I'm crawling a website, I realized that when the phpinfo crawler > is crawling through a captcha the crawler gets stuck. This might be due > to the fact that the captcha generates a different response and every > time it will try a new request on the same page > > Does this make sense? Well, crawl infinite loops are always bugs, so... no, it doesn't make sense. In order for me to fix this I would need you to do at least one of these: - Send me the HTTP log of a w3af scan where this infinite loop happens. You can of course sanitize the scan log to remove the site name, text, etc. - Send me the URL in private so I can better understand what's going on - Send me a PoC site (in a zip file) which I can use to reproduce the issue > > Ali > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Ali K. <ali...@gm...> - 2014-10-31 15:24:34
|
Whilte I'm crawling a website, I realized that when the phpinfo crawler is crawling through a captcha the crawler gets stuck. This might be due to the fact that the captcha generates a different response and every time it will try a new request on the same page Does this make sense? Ali |
|
From: Andrew K. <aki...@gm...> - 2014-10-29 21:05:45
|
Totally not a w3af issue. You should be using screen to hold jobs you leave running then close ssh sessions. http://www.princessleia.com/sshscreen.php On Wed, Oct 29, 2014 at 3:51 PM, Andres Riancho <and...@gm...> wrote: > Aman, > > On Wed, Oct 29, 2014 at 4:10 PM, Aman Thakur <ama...@gm...> > wrote: > > Hi Guys, > > Good Day!! > > > > I am trying to automate the w3af scanning process in my LAN. But i am > having > > hard time with it. > > > > What i have done till now is that. I have made a small http server in > > python. In which, i am passing the domain name of my own website. > > eg: $ 192.168.1.100:8080/?website=www.mywebsite.com > > > > When i run the http server by sshing to the server and running it in > > background using the ampersand(&). So, if my ssh session is on and i > send a > > request to scan from my other machine on the LAN, then it starts the scan > > and shows it in my ssh session screen. > > $ runserver & > > > > But if i end my session, after running the server in the background with > the > > following commands: > > $ runserver& > > $ exit > > > > Then, it creates the process but it never finishes the process or scan. I > > can see the w3af_console process in the result of $ ps aux command but it > > never finishes it. > > > > Can anyone suggest me something about it? Can we do a scan by invoking > the > > w3af_console in the background? Is running the w3af in background > possible > > on a machine? > > I believe this issue is not related to w3af, but maybe some links might > help: > > * http://www.celeryproject.org/ > * https://docs.python.org/2/library/subprocess.html > > In case this is related to w3af, the way to discover that is to enable > text_file output and debug the output. > > > Thanks > > > > With Regards > > Aman Thakur > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-users mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > |
|
From: Andres R. <and...@gm...> - 2014-10-29 19:52:02
|
Aman, On Wed, Oct 29, 2014 at 4:10 PM, Aman Thakur <ama...@gm...> wrote: > Hi Guys, > Good Day!! > > I am trying to automate the w3af scanning process in my LAN. But i am having > hard time with it. > > What i have done till now is that. I have made a small http server in > python. In which, i am passing the domain name of my own website. > eg: $ 192.168.1.100:8080/?website=www.mywebsite.com > > When i run the http server by sshing to the server and running it in > background using the ampersand(&). So, if my ssh session is on and i send a > request to scan from my other machine on the LAN, then it starts the scan > and shows it in my ssh session screen. > $ runserver & > > But if i end my session, after running the server in the background with the > following commands: > $ runserver& > $ exit > > Then, it creates the process but it never finishes the process or scan. I > can see the w3af_console process in the result of $ ps aux command but it > never finishes it. > > Can anyone suggest me something about it? Can we do a scan by invoking the > w3af_console in the background? Is running the w3af in background possible > on a machine? I believe this issue is not related to w3af, but maybe some links might help: * http://www.celeryproject.org/ * https://docs.python.org/2/library/subprocess.html In case this is related to w3af, the way to discover that is to enable text_file output and debug the output. > Thanks > > With Regards > Aman Thakur > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Aman T. <ama...@gm...> - 2014-10-29 19:11:04
|
Hi Guys, Good Day!! I am trying to automate the w3af scanning process in my LAN. But i am having hard time with it. What i have done till now is that. I have made a small http server in python. In which, i am passing the domain name of my own website. eg: $ 192.168.1.100:8080/?website=www.mywebsite.com When i run the http server by sshing to the server and running it in background using the ampersand(&). So, if my ssh session is on and i send a request to scan from my other machine on the LAN, then it starts the scan and shows it in my ssh session screen. $ runserver & But if i end my session, after running the server in the background with the following commands: $ runserver& $ exit Then, it creates the process but it never finishes the process or scan. I can see the w3af_console process in the result of $ ps aux command but it never finishes it. Can anyone suggest me something about it? Can we do a scan by invoking the w3af_console in the background? Is running the w3af in background possible on a machine? Thanks With Regards Aman Thakur |
|
From: Andres R. <and...@gm...> - 2014-10-28 11:17:25
|
List,
I'm trying to fix w3af [0] in order to be able to scan sites which
have disabled SSLv3 because of the POODLE vulnerability, and I'm
seeing some strange behaviour in the logs. The problem is that even
when I tell python to use TLS (version 3 in ssl.py) it seems to use
SSLv3 (don't confuse the previous three with this one):
SSL connection error occurred with protocol 1: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 3: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 2: '[Errno 1] _ssl.c:510:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure'
In the first line w3af tries to connect to the host using protocol
1 and fails, because it's disabled server-side. The second line shows
how w3af tries to start a connection with TLSv1 (protocol 3) but then
it says "SSL3_READ_BYTES:sslv3"... why is this? What am I doing wrong?
You can see the patch here [1]
[0] https://github.com/andresriancho/w3af/issues/5802
[1] https://github.com/andresriancho/w3af/commit/4d3da21fb4f779891b0931826f65431f8e3e0a51#diff-fb2412155fd3f437748e8b4bd0282e68R893
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
27 messages has been excluded from this view by a project administrator.
