Re: [W3af-develop] Authenticated scan support for x-access-token

Wed, 05 Aug 2015 13:42:12 -0700 

Jay,

    Interesting subject, never came across JSON web tokens before.

    AFAIK nobody is working on adding this feature to the framework,
but I would be happy if you give it a try. There seems to be a library
we can use to handle all the encoding stuff [0] and some notes on the
w3af-specifics:

        * The plugins need to be 100% abstracted of the way requests
are encoded. Changes to JSON web tokens will only affect files in
w3af/core/
        * One of the most important abstractions you'll have to
understand to add JWT to w3af is mutants [1]. Follow the code by
looking for all the usages of JSONMutant and it should be easy to
understand what they are.
        * The other abstraction to be added for JWT is a container [2]

    A couple of links that might help:
        * 
https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
        * https://github.com/andresriancho/w3af/wiki/Contributing-101

    Feel free to ask me any questions via this mailing list, or use
the new issue I've just created [3]

[0] https://github.com/jpadilla/pyjwt/
[1] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py
[2] 
https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py
[3] https://github.com/andresriancho/w3af/issues/11875

On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay.xi...@verilume.com> wrote:
> Hi,
>
> We are using JWT token after user name/password authentication for the
> subsequent http request. The JWT token returned as access-token and the
> subsequent request need to include x-aacess-token as part of request.
> Otherwise, the server under scan simply rejects http request with 401.
>
> Is this feature being developed or can someone point me to the code where I
> can customize myself.
>
> Thanks,
>
> Jay
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to