I tried to used w3af's webSpider with a test site that uses basic authentication and it never authenticated. I verified this in the server logs and with a packet capture. I tried with multiple targets, IIS6 (Win2003) and IIS7.5 (Win7). I sniffed the traffic and I never saw an authentication attempt. It was therefore unable to spider the site either. I dug into the code a bit but couldn't find anything. I was able to use curl to confirm the site works.
The "myrealm" has been changed in the output below, but it is the same as the domain. Curl: curl --basic --user myuser:Password1 http://192.168.40.1/default.htm Sniffed 401 header response from server: WWW-Authenticate: Basic realm="myrealm" Here is the source script: plugins discovery webSpider output console back http-settings set basicAuthUser myuser set basicAuthPass Password1 set basicAuthDomain myrealm back target set target http://192.168.40.1/default.htm back start Output: w3af>>> start Auto-enabling plugin: grep.httpAuthDetect The resource: "http://192.168.40.1/default.htm"; requires authentication. The realm is: "Basic realm="myrealm"". This information was found in the request with id 1. Found 1 URLs and 1 different points of injection. The list of URLs is: - http://192.168.40.1/default.htm The list of fuzzable requests is: - http://192.168.40.1/default.htm | Method: GET Finished scanning process. --Tim Medin
------------------------------------------------------------------------------
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
