Authentication data is not used by w3af during scan #7665
Comments
|
Thanks for reporting this issue. First your final questions: 1- I don't believe that would help, but you could grep w3af's source and replace those strings Could you please download w3af from this repository, switch to the |
|
OK, it will take me sometime as I first need to complete the PT, but I promise to do it and report back. Eitan |
|
@eitancaspi ping! |
|
pong! Not there yet, it will take some time... :( |
This is confirmed to work |
|
Going to test in the GUI, I also expect it to work. If it does, then I'll change the priority of this issue to low and it's milestone to undefined until I either get more data from @eitancaspi or close it because it's inactive |
|
This works: [profile]
description = auth_test
name = auth_test
[output.console]
verbose = True
[auth.detailed]
username = [email protected]
password = passw0rd
username_field = username
password_field = password
auth_url = http://127.0.0.1:8000/auth/auth_1/login_form.py
check_url = http://127.0.0.1:8000/auth/auth_1/post_auth_xss.py
check_string = or read your input
data_format = %u=%U&%p=%P&Login=Login
method = POST
[target]
target = http://127.0.0.1:8000/auth/auth_1/
[misc-settings]
fuzz_cookies = False
fuzz_form_files = True
fuzz_url_filenames = False
fuzz_url_parts = False
fuzzed_files_extension = gif
fuzzable_headers =
form_fuzzing_mode = tmb
stop_on_first_exception = False
max_discovery_time = 120
interface = wlan1
local_ip_address = 10.5.6.13
non_targets =
msf_location = /opt/metasploit3/bin/
[http-settings]
timeout = 15
headers_file =
basic_auth_user =
basic_auth_passwd =
basic_auth_domain =
ntlm_auth_domain =
ntlm_auth_user =
ntlm_auth_passwd =
ntlm_auth_url =
cookie_jar_file =
ignore_session_cookies = False
proxy_port = 8080
proxy_address =
user_agent = w3af.org
rand_user_agent = False
max_file_size = 400000
max_http_retries = 2
max_requests_per_second = 0
always_404 =
never_404 =
string_match_404 =
url_parameter =
[crawl.web_spider]
only_forward = True
follow_regex = .*
ignore_regex = .*logout.*
[audit.xss] |
|
All tested at e78fc00 |
|
Hello,
I use version 1.6.0.5.
I am attempting to check that my login data is working correctly by w3af, so I enabled on "web_spider" and once "auth -> generic" and once "auth -> detailed" (but not both at the same time).
I filled all the fields and saved both at the scan level and at the profile level - and run the profile.
Immediately I get in the log console the error of "The uri parameter of ExtendedUrllib.POST() must be of url.URL type", which I have seen mentioned in other issues here - so it seems like w3af is not reading/using one or more of the auth details given to it.
Searching the request-response section I noticed that w3af DID try a login, but used values that looks like they are a built-in default of the app - user is "John" and password is "Hello World".
I just wish to verify if my case is similar to the others mentioning the above error and if yes:
Thanks!
Eitan
The text was updated successfully, but these errors were encountered: