I can help with this On Aug 5, 2015 4:41 PM, "Andres Riancho" <andres.rian...@gmail.com> wrote:
> Jay, > > Interesting subject, never came across JSON web tokens before. > > AFAIK nobody is working on adding this feature to the framework, > but I would be happy if you give it a try. There seems to be a library > we can use to handle all the encoding stuff [0] and some notes on the > w3af-specifics: > > * The plugins need to be 100% abstracted of the way requests > are encoded. Changes to JSON web tokens will only affect files in > w3af/core/ > * One of the most important abstractions you'll have to > understand to add JWT to w3af is mutants [1]. Follow the code by > looking for all the usages of JSONMutant and it should be easy to > understand what they are. > * The other abstraction to be added for JWT is a container [2] > > A couple of links that might help: > * > https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor > * https://github.com/andresriancho/w3af/wiki/Contributing-101 > > Feel free to ask me any questions via this mailing list, or use > the new issue I've just created [3] > > [0] https://github.com/jpadilla/pyjwt/ > [1] > https://github.com/andresriancho/w3af/blob/master/w3af/core/data/fuzzer/mutants/json_mutant.py > [2] > https://github.com/andresriancho/w3af/blob/master/w3af/core/data/dc/json_container.py > [3] https://github.com/andresriancho/w3af/issues/11875 > > On Wed, Aug 5, 2015 at 3:58 PM, Jay Xiong <jay.xi...@verilume.com> wrote: > > Hi, > > > > We are using JWT token after user name/password authentication for the > > subsequent http request. The JWT token returned as access-token and the > > subsequent request need to include x-aacess-token as part of request. > > Otherwise, the server under scan simply rejects http request with 401. > > > > Is this feature being developed or can someone point me to the code > where I > > can customize myself. > > > > Thanks, > > > > Jay > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > W3af-develop mailing list > > W3af-develop@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop >
------------------------------------------------------------------------------
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
