Olle, On Wed, Mar 11, 2009 at 12:55 PM, olle <o...@nxs.se> wrote: > Hi all! > > I am a security professional working with, among other things, large scale > vulnerability assessments. > While evaluating w3af for use in automated scanning of discovered webservers > I found a couple of bugs. > > As Andres got fed up with being my personal support-monkey he suggested I > join up here and discuss > any further issues with the community. ;) Thus I have a bug to report in the > 1.0-rc1 release. > > The webSpider module gets confused by Apache error pages and gets stuck in a > loop as the log shows: > > New URL found by webSpider plugin: > http://10.80.2.1/support/admin/Apache/Apache/1.3.23 > New URL found by webSpider plugin: > http://10.80.2.1/support/admin/Apache/Apache/Apache/1.3.23 > New URL found by webSpider plugin: > http://10.80.2.1/support/admin/Apache/Apache/Apache/Apache/1.3.23 > New URL found by webSpider plugin: > http://10.80.2.1/support/admin/Apache/Apache/Apache/Apache/Apache/1.3.23 > > Where /support/admin looks like: > > HTTP/1.1 403 Forbidden > date: Mon, 09 Mar 2009 15:54:21 GMT > transfer-encoding: chunked > content-type: text/html; charset=iso-8859-1 > server: Apache/1.3.23 (Unix) PHP/4.1.2 > > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <HTML><HEAD> > <TITLE>403 Forbidden</TITLE> > </HEAD><BODY> > <H1>Forbidden</H1> > You don't have permission to access /support/admin/ > on this server.<P> > <HR> > <ADDRESS>Apache/1.3.23 Server at xxx.xxx.xxx.xxx Port 80</ADDRESS> > </BODY></HTML>
hmmm, I haven't tested it, but I think that if you "svn update" your "branches/1.0" directory, you'll find a version that fixes this bug. I simply changed the way that w3af detects 404 pages. The default was "autodetect", which has proven to suck in practice; now I changed it to "by Directory And Extension". If you are interested, this code is in "fingerprint404Page.py" > I hope I can be of more use to the community in the future when I might > actually have time to hunt down this type > of bug and squash it. Also I have some ideas on how to improve certain > modules (localFileInclude etc.) that I'd > like to discuss in this forum. I'll also be sharing the results of my > work-use of w3af with you soon... We would really enjoy your input, feel free to send an email to this mailing list any time! /professional support monkey > 'Til then, > > Cheers! > > /olle > > ------------------------------------------------------------------------------ > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and > easily build your RIAs with Flex Builder, the Eclipse(TM)based development > software that enables intelligent coding and step-through debugging. > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
