Am 30.03.2014 18:23, schrieb Andres Riancho:
> That came out a little bit rude... let me rephrase that
oops, sorry.
It just happend while I tried to run w3af on a second older (than 1 month;-)
system
and it failed totally.
My apologies
Achim
Andrés, Taras,
it would be nice to get a w3af which runs on plain old unpatched systems
I.e. not everyone has, or can, or would like to install a bunch of python
gimmicks on her/his/ system to get one single tool running (potentially
breaking others).
Is there any way that w3af contains anything
Am 22.05.2013 16:42, schrieb Vint Surf:
> Will the open relay qualification be applicable for the HTTP Host Header
> exploit or another?
there is an open relay if the server accepts a FQDN in the GET or POST method
(URL line), this has nothing to do with the Host: header at first glance.
This was
Hi Andrés,
sounds like fuzzer.py is what I asked for. Thanks.
Questions now are:
1. how can a private file be used there?
2. how to use a dynamically generated file there?
Ciao,
Achim
Am 15.05.2013 15:41, schrieb Andres Riancho:
> Achim,
>
> On Wed, May 15, 2013 at 9:53 AM, Achim
Hi Vint,
see my comments/answers inline.
Achim
Am 16.05.2013 18:12, schrieb Vint Surf:
> Responses in-line. Thanks!
>
>> I'm thinking in order to determine if HTTP host header can be exploited,
> we
>> would need to:
>> A) determine if SERVER_NAME, HTTP_HOST, or both have values
>> B) verify
Hi all,
I'm searching for a plugin which can multiple encode a payload.
Does such a thing exist in w3af?
The idea is as follows:
given the url like
/path/fooxss/other
I want to test these variants:
/path/fooxss/other
/path/foo%3Cu%3Exss/other
/path/foo%25
Hi Andrés
I've already compiled a short list of variants of the host header attack.
Some of them are simple to build, some of them are more tricky. Same is
for the checks to be implemented to identify the vulnerability.
The most tricky part will be that you often need 2 or 3 requests and then
com
Am 14.09.2012 18:42, schrieb Andres Riancho:
> Achim,
>
> On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann wrote:
...
>> What w3af can do is to provide a parameter where to specify cookie names
>> to be ignored. But be prepared for a huge name-checking-nightmare as
>>
I'd qualify any cookie without httponly flag as "finding", at least a warning.
The developer, or the application owner needs to select those which need it
and those which don't.
Even if it is "only a tracking" cookie, modification of the value may be
harmful somewhere.
What w3af can do is to pro
LOL, [0] is a nice example why blacklist are no good for data validation
even worse in this example is that it trys data sanitation.
So a fuzzer (like w3af) should test each character for it's own. In this case
checking " ' ` \ would be sufficient. A more sophisticated test would also try
(URL-cod
Note that the OWASP page [1] (see below) is just an excerpt of Adar's original
paper.
http://www.checkmarx.com/white_papers/redos-regular-expression-denial-of-service/
Andrés, I don't have a solution for python, but you can use the regex and
patterns
as described in https://github.com/E
Am 01.08.2012 20:40, schrieb Andres Riancho:
> Ping! Someone can help me out?
may be this helps:
https://github.com/EnDe/ReDoS
not for python, but you get at least some regex and patterns ;-)
Achim
>
> On Thu, Jul 26, 2012 at 1:59 PM, Andres Riancho
> wrote:
>> Lists,
>>
>> I'm tr
Am 27.06.2012 08:56, schrieb Taras:
...
>>> >>
>>> and browser will eat it and render hr!
>>
>> Ahh! Nice. That works in all browsers?
> At least in Firefox, Opera and Chrome!
you can test more such things with EMiR https://github.com/EnDe/EMiR/
let me know if you need assistance :)
Achim
-
I'd use the first two and the last parameter, so there're max. 3
If performance counts, the user should decide what to do:
a) use the first two
b) use first and last
c) check first a) then b)
Achim
Am 08.06.2012 15:50, schrieb Stephen Breen:
> I think your idea of having an upper limit on N
Am 20.05.2012 16:38, schrieb Andres Riancho:
> Achim, Taras,
...
>> openssl uses CA from directory ssl/certs, which depends on the system
>> you started openssl (most likely /etc/ssl/certs on *ix)
>> you may try
>> openssl ca
>> to get an idea
>>
>> Note that you OS may do house keeping for these
Am 19.05.2012 17:20, schrieb Andres Riancho:
> Taras,
>
> On Sat, May 19, 2012 at 2:52 PM, Taras wrote:
>> Andres,
>>
>>
>>> - Just to make things clear regarding the static nature of it, I would
>>> move self._min_expire_days to the module level and call it
>>> MIN_EXPIRE_DAYS
>>
>> Hmm, I want
Am 17.05.2012 20:21, schrieb Taras:
>
> [0] http://code.google.com/p/sslyze/
hmm, take care. When I last tested sslyze.py mail.google.com
it does not report that mail.google.com allows following ciphers:
ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA,
ECDHE-RSA-RC4-SHA
ju
Am 11.04.2012 17:50, schrieb Andres Riancho:
...
> Let me explain what is going on here and what your patch is doing:
> #1 In the current trunk version, w3af's webSpider is parsing the
> index.php file you sent and identifies many links, most of them
> variants of each other. Before returning t
Andrés, Taras,
please see inline below.
Achim
Am 29.02.2012 20:34, schrieb Andres Riancho:
> On Tue, Feb 28, 2012 at 5:36 PM, Achim Hoffmann wrote:
>> Taras, Andrés,
>>
>> first of all CSRF is not limited to
>> - requests with parameters
>> - POST reqeusts
Taras, Andrés,
first of all CSRF is not limited to
- requests with parameters
- POST reqeusts
- GET requests
- requests with cookies
- requests for authenticated sessions
more details see inline below
Achim
Am 28.02.2012 20:42, schrieb Andres Riancho:
> Taras,
>
> On Tue, Feb 28, 20
Am 16.02.2012 23:50, schrieb Andres Riancho:
> Achim,
>> escaped or removed angle braces:
>>continue with tag or attribute injection
>
> If and only if we're not in a TEXT (TEXT) section, because
> we're never going to be able to execute JS if we don't create some
> kind of new tag and are in
Hi Andrés,
I'd start with following (the payload literaly):
uniqew3afid"' foo=bar -->
The goal is to detect XSS in most variants, so how it works:
uniqew3afid- find payload in response (reflected)
"' - test if single and/or double quotes are encoded
Am 08.02.2012 16:30, schrieb Andres Riancho:
[snip]
> Some bad things I see in our installation process is that our code
> is focused on guiding the users of Debian based distributions; which I
> see as incomplete and useless for people running the installation in
> RedHat/Fedora based distri
First: I'm no python guru
but this seems to be one of python's oddities when dealing with ttys or
terminals.
Try something like:
python -c 'print u"\xe4"'
python -c 'print u"\xe4".encode("utf-8")'
python -c 'print u"\xe4".encode("utf-8")' | od -x
python -c 'print u"\u2aac".encode("utf-
did you mean UTF-8 when writing Unicode?
Sorry for the silly question
Achim
Am 27.01.2012 10:09, schrieb Taras:
> Hi, all!
>
> Right now I'm testing trunk version of w3af against some Unicode web
> applications. Good example of such webapp is http://slovari.yandex.ru
> You can use webapp on you
Am 09.01.2012 20:54, schrieb Andres Riancho:
...
> You paranoid, tinfoil hat man! :P
> http://www.keeptalkinggreece.com/wp-content/uploads/2011/09/tin-foil-hat.jpg
s/man/cat/
Where did you get that picture from me?
:-))
According paranoid: if you use w3af in a closed environment without any
wir
Am 09.01.2012 16:54, schrieb Javier Andalia:
> On Mon, Jan 9, 2012 at 12:35 PM, Johannes Weberhofer <
> jweberho...@weberhofer.at> wrote:
>> Additionaly, I have recognized, that there are all .svn directories
>> packaged in the tar file - those might be dropped in the future, too.
>>
>>
> Not in
Am 23.12.2011 02:16, schrieb Andres Riancho:
> Taras,
>
> On Wed, Dec 21, 2011 at 6:07 AM, Taras wrote:
>>> #APR: Do we want to call _createUrlPartsMutants for all freq? Does it make
>>> sense to fuzz the URL when
>>> there are query string parameters? Hmmm... we should think about this.
>>
>>
Am 16.11.2011 15:37, schrieb Andres Riancho:
> Achim,
>
> On Tue, Nov 15, 2011 at 10:34 AM, Achim Hoffmann wrote:
>> Hi all,
>>
>> I fully agree with Taras.
>>
>> Question before I dig deeper:
>>does w3af currently identify (correctly) which
Hi all,
I fully agree with Taras.
Question before I dig deeper:
does w3af currently identify (correctly) which parts of the URL
are the INFO_PATH (actually tartofdefence.com h/bar/123 part, see
below)?
Achim
Am 15.11.2011 14:25, schrieb Taras:
> Hi, all!
>
> Andres, when I ha
Andrés,
> REST, as described in [0], has two important moving parts:
...
> 2- Heavy usage of HTTP methods like GET, POST, DELETE, PUT.
IMHO testing and/or fuzzing HTTP methods is independent of REST.
If fuzzing methods will be a feature, then there're more methods to
be tested, like:
e it as simple as possible, but no simpler" - Albert Einstein
>
>> On Wed, Oct 19, 2011 at 6:05 PM, Achim Hoffmann wrote:
>>> how about one of:
>>>
>>> ./w3af_console -p Profile -start
>>> ./w3af_console -p Profile -run
>>&g
how about one of:
./w3af_console -p Profile -start
./w3af_console -p Profile -run
./w3af_console -p Profile -exec
{-: Achim
--
The demand for IT networking professionals continues to grow, and the
Hi all,
Thanks all for for you work.
Just started testing with the stable release.
Got following question:
the request shown in "Manula Request" and "Fuzzy Request" does
not use the value for the User-Agent as specified in
"Configuration HTTP Settings"
Is this a bug or f
Hi,
when starting the GUI, it tries to connect to w3af.sf.net and check
for updates.
Is there any configuration or statup option to disable this behaviour?
Ciao,
Achim
--
Simplify data backup and recovery for your virt
Hi all,
I'd also like to have a simple "grep"-plugin like (and including) host-extract.
According the protocol part, keep in mind that some system support much
more than just (ht|f)tps? . You also may find (ldap|smb|smtp|ssh)://
and many, many more.
How about using a regex to identify them: ([a-
Hi,
first of all: please describe undoubtly in the "Encode/Decode" window that
all characters keyed in or pasted are UTF-8.
This is very important if someon tries to copy&paste data from/to browsers
which use UCS-2.
Said this, here're some oddities you'll stumble over:
1. in the Encode area type
On Wed, 31 Mar 2010, Andres Riancho wrote:
...
!! On Wed, Mar 31, 2010 at 5:34 AM, Achim Hoffmann wrote:
...
!! > I guess you'll unintentionally start a philosophic discussion here.
...
!! When I started the project I used camelCase everywhere. Now, I'm
!! start
Hi Taras,
I guess you'll unintentionally start a philosophic discussion here.
!! - afd
!! - allowedMethods
!! - archiveDotOrg
!! - bing_spider
!! - content_negotiation
!! ...
!!
!! We can see 2 different naming styles here.
!! Also in code we can see the same: some methods called as
!! foo_acti
Andres Riancho wrote on 12.01.2010 12:15:
> Ulises,
>
> On Tue, Jan 12, 2010 at 7:41 AM, Achim Hoffmann wrote:
>> Ulises2k wrote on 11.01.2010 22:04:
>>> Boys,
>>> w3af 1.0 rc3 TESTING
>>>
>>> http://www.ulises2k.com.ar/files/w3af 1.0 rc3 (te
Ulises2k wrote on 11.01.2010 22:04:
> Boys,
> w3af 1.0 rc3 TESTING
>
> http://www.ulises2k.com.ar/files/w3af 1.0 rc3 (testing) setup.exe
>
> Could you testing w3af and tell me the bugs?
Hi Ulises,
installed from scratch, no problem.
Starting the GUI gives an error
Unknown plugin select
Floyd, Andres,
can someone please enlight me on the pupose of the FormFiller,
before I start posting unqualified comments.
Is it just fill forms with some kind of usefull values so that
w3af gets the next step in the application?
Or is it some kind of fuzzing the form?
For the first (some usefull
!! - Append the cookie parameter to the URL:
!! * /the/url/?id=1&PHPSESSID=w3af-session-fixation
!! * /the/url/?id=1&FOOBAR=w3af-session-fixation
Hi Andres,
Session Fixation can be done in more than just this way. For example:
* /the/url;jsessionid=w3af-session-fixation/?id=1
* /th
Viele Gruesse
Achim
On Sun, 15 Nov 2009, Andres Riancho wrote:
!! > So, identifying length limits, hidden values and constants (i.e. select
options)
!! > is a good idea and can be feed to a fuzzer plugin to make more
sophisticated
!! > tests.
...
!! > Does this make sense?
!!
!! Yes, a lot
Taras wrote on 11.11.2009 13:06:
> Example with maxlenght is not good.
> Such validation usually is made on JavaScript.
> What should do in such situation?
> My point of view is we do not need to pay so much attention to client side
> *security* validation because it is not so trivial but at same
Hi Andres, Jon,
On Thu, 11 Jun 2009, jrose wrote:
!! Hey Andres,
!! I was thinking just a small or medium sized list, using an external file.
a "small" file (~60.000) is provided by jbruzz.
dirbuster (with which this thread started) has huge files (>2^30).
> If a user wants to
!! supply their
Andres,
your suggestion with mutants sounds better than mine with a table of
payloads.
The only thing to be defined is the number and type of mutants being
generated, that must be configurable somehow.
Achim
--
Register
Hi all,
Kevin, nice idea.
I'll try to improve that and write a plugin to detect if a
webapp switches from URL rewriting to cookies or vice versa.
The idea is:
send url with session parameter
check if webapp send Set-Cookie with that value
If Set-Cookie comes back with preset value, we also
On Thu, 7 May 2009, Andres Riancho wrote:
!! On Wed, May 6, 2009 at 11:51 AM, Achim Hoffmann wrote:
!! > all the requests reported by the dav-method plugin are shown as
!! > GET
!! > even the description shows multiple DAV methods, the request is always
!! > GET. Is this correct? I
The knowledge base under the results tab is a very useful sheet to
get a quick information about the total findigs.
Unfortunatelly some plugins show their findings in different ways.
For example:
> strangeHeaders (1)
> strangeHeaders (2)
! Strange header
! Strange header
> s
Some requests are missing in the output logfiles. I guess that are requests
which timed out.
Would not be a problem, but some plugins (at least seen in dav-method plugin)
refer to the id of such requests and then show an empty request and response
tab.
As the information is missing, I can't debu
all the requests reported by the dav-method plugin are shown as
GET
even the description shows multiple DAV methods, the request is always
GET. Is this correct? It's at least confusing, and the reported request
is useless (according the description).
Achim
while browsung through the requsts reported by the dav-methods plugin
I detected that the plugin seems to send the request without the
specicified UA, at least the listed request does not contain the
UA header. This is for most, but not all requests.
I guess this is a bug, somehow.
Achim
--
Hi Andres,
another nasty thing.
I'll explain first, then see the corresponding debug.
Tried to write a fix, but it seems not that simple without understanding
how w3af works.
Here we go:
* a requests returns with a 302 status response (including a Location
header)
* the given FQDN in t
Andres,
sometimes (mainly after changing the Scan config) the [Clear] or
[Start] button right to the target URL is disabled.
Nothing seem to enable it again.
I've to close w3af GUI and start again.
Any ideas?
Achim
--
T
!! > File "D:\Programs\w3af\core\data\kb\info.py", line 168, in
_convert_to_range
!! > respomse_string += ' ' + self._convert_to_range()
!! > RuntimeError: maximum recursion depth exceeded
!! >
!!
!! I got that message some times before, but I failed to debug it
!! properly. Could you pl
Hi Andres,
On Wed, 6 May 2009, Andres Riancho wrote:
!! It means that a request performed by w3af, returned an error 500, but
!! this request/response pair could not be associated with a specific
!! vulnerability like "SQL injection". w3af warns you in order for you to
!! manually check this reso
got 100s of following message in the console window right befor w3af GUI
crashed:
File "D:\Programs\w3af\core\data\kb\info.py", line 168, in _convert_to_range
respomse_string += ' ' + self._convert_to_range()
RuntimeError: maximum recursion depth exceeded
Achim
---
what does following mean?
[ 05/06/09 12:36:03 - vulnerability ] An unidentified web application error was
found at: "https://some.tld/report_popup.jsp";. Enable all
plugins and try again, if the error still is not identified, please verify
mannually. And report it to the w3af developers. This
Hi Andres,
got a buggy charset in a meta tag, which forced following:
---
[ 05/06/09 11:09:40 - debug ] GET https://some.tld/some.do?WSDL returned HTTP
code "204"
[ 05/06/09 11:09:40 - debug ] Unhandled exception in xUrllib._send(): unknown
encoding: utf-81
[ 05/06/09 11:09:40 - debug ]
Hi Andres,
got following degug output when using robotsreader plugin
[ 05/06/09 11:09:41 - information ] A robots.txt file was found at:
"https://some.tld/robots.txt";. This information was found in the request with
id 17.
[ 05/06/09 11:09:41 - error ]
[ 05/06/09 11:09:41 - error ]
On Thu, 30 Apr 2009, Andres Riancho wrote:
!! Achim,
!!
!! On Thu, Apr 30, 2009 at 4:52 AM, Achim Hoffmann wrote:
!! > Hi all,
!! >
!! > while scanning a site, all findings are reported sorted well in the
Results ->
!! > KB Browser tab.
!! > In the information window
On Thu, 30 Apr 2009, Andres Riancho wrote:
!! On Thu, Apr 30, 2009 at 7:31 AM, Achim Hoffmann wrote:
!! >
!! > On Thu, 30 Apr 2009, Achim Hoffmann wrote:
!! > !! it seems to be just the GUI which freezes.
!! > !! The symtoms are:
!! > !! * GUI does not refresh if you click on t
On Thu, 30 Apr 2009, Andres Riancho wrote:
!! Achim,
!!
!! On Thu, Apr 30, 2009 at 5:26 AM, Achim Hoffmann wrote:
!! > How about following enhancements.
!! >
!! > why do we need spaces there?
!! > id=42
!! > should be good enough for any DB
!!
!! hehe, yes, good finding, i
On Thu, 30 Apr 2009, Achim Hoffmann wrote:
!! it seems to be just the GUI which freezes.
!! The symtoms are:
!! * GUI does not refresh if you click on the window frame (means that it does
!! not get the event, somehow)
!! * it take 5-10 minutes 'til the GUI responds again
!! * the
How about following enhancements.
why do we need spaces there?
id=42
should be good enough for any DB
Also, is it possible to use regex there?
At least simple regex would be more intuitive than SQLish like (at least to me:)
id=4[23]
id=4[2-4]
url/(foo|bar).html?/
Achim
Hi all,
while scanning a site, all findings are reported sorted well in the Results ->
KB Browser tab.
In the information window top right we read something like:
The remote web server
This Information was found in the requests with ids 42, 4242, ...
How about adding a simple button t
Andres Riancho
To: Achim Hoffmann
Cc: w3af-develop@lists.sourceforge.net
Subject: Re: [W3af-develop] w3af hangs ..
!! > As w3af scans now, the GUI does not respond anymore.
!! > How to pause/stop the scan?
!!
!! No way, if the GUI freezes... you are fucked :S
!! Could you send m
!! For what you've sent me privately, I think that what's happenning here
!! is that your profile is disabling all output plugins, including the
!! console output plugin. If you disable the console output plugin,
!! nothing else after the "start" is printed out. Please perform some
!! tests enablin
!! On Tue, Apr 28, 2009 at 11:37 AM, Andres Riancho wrote:
!!
!! For what you've sent me privately, I think that what's happenning here
!! is that your profile is disabling all output plugins, including the
!! console output plugin. If you disable the console output plugin,
!! nothing else after t
When I configure a scan and start it it immediately hangs, happens in GUI
and console. In GUI I see a message like:
Server uses 200 instead of HTTP 404 error code.
There're no log files written.
GUI and console have to be killed with task manager.
python 2.2 r252:60911
w3af 1.0-rc[12]
Any
!! You may use my talk from OWASP NYC which was video recorded as a base.
Is there something about w3af at the upcomming OWASP AppSec2009 and/or
CONFidence in Krakow?
--
__
may be you get some more (leet correct:) ideas here
https://addons.mozilla.org/firefox/addon/770
Achim
On Mon, 23 Mar 2009, Andres Riancho wrote:
!! On Mon, Mar 23, 2009 at 7:43 PM, dblackshell wrote:
!! > e - 3
!! > i - 1
!! > o - 0
!! > a - 4
!! >
!! > i've never seen s - 5 ?
!!
!! Damn.
!! > Either the contacted web server acts as a open proxy or passes the request
to
!! > the extranet host.
!!
!! No, the web server
how do you know which "web server" responded, the connected one, target or
extranet?
IIRC yo need additional fingerprinting to identify this more closely.
Achim
Andres,
!!GET https://target/ HTTP/1.1
!!Host: extranet
!!
!! > When a server redirects requests with a 302, vhost discovery gets confused.
!!
!! So the bug is basically that w3af follows 302 redirects off-site.
!! This could potentially be problematic in other cases as well.
!!
!! This bug also means that you get false positives for vhost discovery when
On Thu, 5 Feb 2009, Andres Riancho wrote:
!! And checking if the response was different; but... all this
!! thinking wasn't in useles! What I want to do now is to create a new
!! plugin, that tries to find new parameters for a given php/asp/etc
!! script.
This is i.g. a good idea and should b
!! I WANT to match '10.1.1.2' in '123_10.1.1.2a'! I'm sorry if I gave you
!! a wrong idea.
!! What I DON'T want to match is '10.1.1.222' in '10.1.1.', do you
!! get the slight difference?
And how about: ad...@10.1.1.2
or
and many more.
So I'd at least allow the IP to be prefixed by [/@<"']
!! a web application, the vulnerability was the classic
!! index.php?filename=/etc/passwd that let's you read the content of any
!! attack.localFileReader: basically you only have one command, "cat",
!! which allows you to print the content of a file using a local file
Andres,
unless I missed so
On Sun, 23 Nov 2008, Andres Riancho wrote:
!! Well, w3af detects the web application vulnerabilities and exploits
!! them. It's different from metasploit/canvas/impact in many ways. The
!! most important one is that we don't exploit "apache" vulnerabilities
!! like format strings and buffer overfl
!! I started to code a w3af extension to detect blind sql injections this
!! way, and I realized that CONCAT only works on mysql (doh! , that
are you sure? IIRC MySQL 3.x does not support CONCAT.
!! http://some.tld/?id=1+1-1
And here we ask how + was encoded and what the application assumed it
t
!! > work (return the same result) but
!! >?id=2+0
!! >?id=1+1
!! > fail.
!!
!! Out of curisity, did you correctly encode the '+' char?
%2b
anyway, it's just an observation I made, not a general rule.
-
Thi
!! oh, ok. Now I get your idea.
!! So... one more point to "1 AND 1=1" instead of "1 AND 1=1;--" , mainly
!! because the first one works on every database, and the second one may
!! or may not work on the database.
Keep in mind that the ; terminates the query in some SQL (MySQL >4.1,
Oracle, ...)
!! > query strings like: ?id=1+0 is enough on numerical values (as well as:
!! > ?id=CONCAT('str','ing') on strings)
!!
!! You are fuc right! I never thought about that... hmmm. So what I
!! could do is just:
!!
!! Original: ?id=1
!! Fuzzed: ?id=1-1+1
slightly disagreed.
I often see appplica
!! fuzzing, guessing... almost the same =)
:-]
!! > !! Original: select * from users where (a = $id);
!! > !! Injected 1: select * from users where (a = 1 and 1 = 1); ---> syntax
ok
!! > !! Injected 2: select * from users where (a = 1 and 1 = 1--); --->
!! > !! invalid syntax
!! >
!! > ye
!! > Ok these looks good, but i think is not enough for blind sql injection.
!! > What about appending the comment string ( -- / # )?
may be you get some more ideas, see (incomplete) list here
http://ende.my-stp.net/sqlPattern.xml
(best viewed with http://ende.my-stp.net/EnDe.html :)
!!
86 matches
Mail list logo