Muffys,
On Thu, Nov 27, 2008 at 12:16 PM, Muffys Wump <[EMAIL PROTECTED]> wrote:
>
> Hello,
>
> I'm trying to crawl a web application using the w3af WebSpider plugin.
> The application uses a simple login form to authenticate users. After
> successful
> authentication the session id isn't stored inside a cookie,
> the id is instead part of the URL like this:
>
> https://foobar.../listinbox_en.jsp;[EMAIL PROTECTED]
> https://foobar.../listcounterpart_en.jsp;[EMAIL PROTECTED]
>
> In order to scan this application I set the target to the following URL/Host
> (using a valid session of course):
> https://foobar.../listinbox_en.jsp;[EMAIL PROTECTED]
>
> By looking at the URLs the WebSpider came up with, I see that the plugin never
> gets past the login form. I'm wondering if I'm doing something wrong or if
> the WebSpider isn't able to use the parameters inside the target URL
> correctly.
> If that's the case, is there a chance that this could be easily fixed? I'm
> also a developer and
> would be able to fix this with a little help (never done python before).
>
> Any help or suggestions appreciated.
Interesting problem... kind of hard to fix... look at this tests I've
just performed:
[EMAIL PROTECTED]:~/w3af/trunk$ python
Python 2.5.2 (r252:60911, Jul 31 2008, 17:28:52)
[GCC 4.2.3 (Ubuntu 4.2.3-2ubuntu7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import core.data.parsers.urlParser as urlParser
>>> qs = urlParser.getQueryString('http://localhost/abc?def=1;login=123')
>>> qs
{'login': '123', 'def': '1'}
>>> str(qs)
'login=123&def=1'
>>> qs = urlParser.getQueryString('https://foobar/listinbox_en.jsp;[EMAIL
>>> PROTECTED]')
>>> qs
{'login': '[EMAIL PROTECTED]'}
>>> str(qs)
'login=myemail%40address.com'
>>>
w3af is going to parse the login stuff correctly in the simplest case
(first test I made) and incorrectly for the second test. I think that
the problem is in the "getQueryString" function, and the way it parses
the ";". I don't know if ";" is a valid separator just like "?".
What's the RFC for URLs ?
Let's suppose that you can make the parser work as you expect... the
next step would be for the "str(qs)" to work also the way you expect,
and separate name/value pairs with "?" instead from the expected "&".
My opinion: This case is rare but has to be included in some way into
the framework. If you can code a patch... I'll apply it to the trunk
after review.
Cheers,
> Thanks
>
>
> _________________________________________________________________
> Explore the seven wonders of the world
> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
