Achim, please read inline > ... > IMHO following algorithm -if done in this sequence- is a bit hopeless. > >> * Crawl the web application without credentials, store non-authenticated >> forms >> * Login to the web application with the user provided credentials >> * Crawl the web application keeping session state and store authenticated >> forms >> * Clear session cookies >> * Login to the web application with the user provided credentials >> * Crawl the web application keeping session state and store authenticated >> forms > > To detect potential CSRF, reverse above steps: > 1. login to application > 2. crawl application > 3. call all URLs identifies in 2. without credentials What is purpose of this changes in algorithm? Reducing of requests to check in next phases?
>> * For each form that can only be accessed after authenticating, >> analyze if it has an anti-CSRF token. The basic way of doing this is >> to check if it has a hidden parameter that considerably changed its >> value (using the two form instances gathered during steps 3 and 6) > > All URLs failed in step 3. above are either not CSRF-able or use > further protection like anti-CSRF tokens. Then continue > 4. check for anti-CSRF tokens > 5. call remaining URLs with previously identified tokens also tokens must be used from session with different credentials. > ... > Further keep following in mind: > + check CSRF with Basic/Digest Authentication > + check CSRF with certificate authentication in my algorithm I want to check on the first step that request consist of authentication data. It can be session cookies, HTTP auth header and so on. I think that it is enough to simply try to find this data in existing request. But it will be not enough we can improve w3af core and add second discovery phase which will mark requests as need_auth_or_not. > + if cookies are used; block cookies and check with URL parameter > + if 5. above fails, get new anti-CSRF tokens with authenticated > session, and check them with an unauthenticated request > + take care for (I'd call them) pseudo anti-CSRF tokens like special > HTTP headers (which are mainly constant values) > + consider request where "parameters" are in the INFO_PATH > > Hope this helps to improve the plugin. -- Taras http://oxdef.info ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
