Disposable emails for finding new links

[andresriancho]

One of the things that this software is missing is the analysis of the links that the target
site sends (for example) during the user registration process.

My idea is to integrate with restmail.net like this:

• Configure MX disposable.w3af.org to point to restmail.net
• Each w3af scan will generate a unique id
• When w3af finds a form that expects an email it will input [email protected]
• During the scan, w3af will check the unique email address
  using REST API
• When the scan ends, it will remove the user/emails

https://github.com/mozilla/restmail.net
http://restmail.net/

[andresriancho]

Talked with the Mozilla team, they asked me to setup my own restmail.net instance.

• Two js services need to be run as forever (see https://github.com/mozilla/restmail.net/blob/master/.awsbox.json) and redis needs to be installed.
• Set the EMAIL_HOSTNAME env variable (see https://github.com/mozilla/restmail.net/blob/master/emailserver.js#L6)
• Only allow emails to @disposable.w3af.org to reduce abuse

[andresriancho]

Sent email to dotcloud support to see if they allow me to host it there, and if their infrastructure can be configured to open port 25 + forward traffic to it.

[andresriancho]

Answer from dotcloud:

I'm sorry, we don't have a way to give you a specific port, so you would not be able to expose port 25. You would have to run your own dedicated server and then either run your mail software on that server, or use that server to proxy port 25 to a TCP port on the dotCloud platform.

Buuuu!

[andresriancho]

One more reason to implement this is explained in these two tweets:

• https://twitter.com/godlike/status/571109857736167424
• https://twitter.com/godlike/status/571115253427269633

To sum-up, the user was worried that w3af was filling a registration form which sent emails to [email protected] which is a non-existent/bouncy email address. That makes the user's web site "look spammy" and might have an impact in their email sending capabilities (through a service like mandrill).

[PetitSebi]

Hi, I was interested in this feature during an internship and I started to think about a way to implement it following your recommendations. What I did so far is a small program which can:

1. Generate a unique user ID using uuid converted into a string -> [email protected] for the moment.
2. Open a firefox through webdriver and fill out the form using "AutoFill Form" firefox plugin. (I'm not using the current form filler of w3af cause I thought the user would need to check the parameters and fill out the rest of the form himself, for example captchas). The plugin is imported within a firefox profile so that the user doesn't need to configure his browser before using w3af. The credentials are stored to be used later for login.
3. Run a module to connect to the REST API and check for all emails during the scan. When an email is found, it localizes the core and finds all the links inside (links to confirm the registration on the website).

I still need to delete the users after each scan, and probably to run the 3rd point into a subprocess not to block the whole scan while checking for emails.

Here is my question:
Is this still a problem to solve on w3af ? Because this feature has not been added to w3af yet, and there is nothing new about it since 2015 ^^ My supervisor and I would like to contribute to w3af but he wants to be sure that the issue #1701 is still relevant.

Thank you, hope we can help !
Sébastien

[andresriancho]

Thanks for your detailed description and question.

This issue is still relevant, but was assigned lower priority than other issues since it is not so important. On the other side, it is something interesting to work on as an intern since it involved various moving parts which need to work together.

I believe you implemented something worth reviewing and potentially integrating into w3af. The only thing I dislike is the use of selenium + webdriver + firefox, since that is a new project requirement which might not be easy to install in all platforms; and gives low added value (at least in this scenario).

Removing the users from the database after the w3af scan has finished is out of scope of w3af, but makes sense for specific scenarios.

If you're interested I can review your code, just upload it to a gist.github.com and I'll take a look

[PetitSebi]

Alright ! Thanks a lot for suggesting to review my code. I will finish my internship soon, and I probably won't have the time to go over this part before I leave the company, but my colleague will continue my work. I will share to him all your advices and requirements.
About the browser, does it mean that we shouldn't run any graphical interface to fill out the forms ? We will just cancel the automating registration when a captcha is found I guess.

[andresriancho]

About the browser, does it mean that we shouldn't run any graphical interface to fill out the forms ? We will just cancel the automating registration when a captcha is found I guess.

If you want to have the browser for the internal version of the plugin that will run in your company, that is totally fine. For the version that will be included in w3af I would recommend against it. w3af is mostly a point and shoot tool: people want to input the URL, go have a coffee and see the results. They don't expect to be asked any questions (such as solving a CAPTCHA) during the scan.