W3af REST-API Error

[ebakirmak]

Hi there,

I am getting an error. Can you help me?

[andresriancho]

You are missing this:

https://github.com/andresriancho/w3af/blob/master/profiles/OWASP_TOP10.pw3af#L191-L193

[ebakirmak]

No, it is not missing. Still don't running. I am getting same error. { "target_urls": ["http://google.com"], "scan_profile":"[/w3af/profiles/OWASP_TOP10.pw3af]" }

[andresriancho]

You got it all wrong :-) Sorry for not explaining properly.

What you need is to add these two sections to the profile.

[profile]
description = A profile
name = Some_Name

[crawl.web_spider]
...

[ebakirmak]

I didn't explain sorry me too. Related file contains yours sections but for all that i am getting same error?

I have a request json for create a new task. it is correct?

POST : http://172.17.6.150:5000/scans/ Json:

{
    "target_urls": ["http://google.com"],
    "scan_profile": "[fast_scan]"
}

Also i added your section top of fast_scan.pw3af file. i'm sorry for waste your time.

[andresriancho]

All of the scan profile, all the file contents, everything needs to be the value of scan_profilein the JSON object.

[ebakirmak]

Thank you @andresriancho i can worked 👍 but there is a new issue. When I create the a new scan every time, it's status:Stopped . Why?

{ "items": [ { "errors": true, "href": "/scans/2", "id": 2, "status": "Stopped", "target_urls": [ "http://php.testsparker.com" ] } ] }

And there is a new error. /scans/3/status request { "code": 500, "exception_type": "RuntimeError", "filename": "status.py", "function_name": "get_rpm", "line_number": 167, "message": "Can NOT call get_run_time before start().", "please": "https://github.com/andresriancho/w3af/issues/new" }

[andresriancho]

Hmmmm, that seems to be a bug.

Fixed it in the develop branch. Please move to that branch and try again.

[ebakirmak]

I downloaded develop branch. There isn't anything error. Thank you so much. one final thing, when i send scan_profiles file to w3af_api, it is returning response "BAD REQUEST". Why can it?

[andresriancho]

Please show me the full request and response.

[ebakirmak]

"{\"scan_profile\":\"[crawl.phpinfo]\\n\\n[audit.frontpage]\\n\\n[audit.eval]\\nuse_time_delay = True\\nuse_echo = True\\n\\n[grep.motw]\\n\\n[grep.credit_cards]\\n\\n[audit.blind_sqli]\\neq_limit = 0.9\\n\\n[infrastructure.allowed_methods]\\nreportDavOnly = True\\nexecOneTime = False\\n\\n[grep.feeds]\\n\\n[infrastructure.halberd]\\n\\n[audit.phishing_vector]\\n\\n[grep.path_disclosure]\\n\\n[audit.csrf]\\n\\n[grep.hash_analysis]\\n\\n[infrastructure.dns_wildcard]\\n\\n[infrastructure.detect_transparent_proxy]\\n\\n[audit.mx_injection]\\n\\n[audit.preg_replace]\\n\\n[grep.strange_headers]\\n\\n[misc-settings]\\nform_fuzzing_mode = tmb\\nfuzzed_files_extension = gif\\nfuzzable_headers = \\nfuzz_form_files = True\\nfuzz_url_filenames = False\\nmax_discovery_time = 120\\nnon_targets = \\nfuzz_url_parts = False\\nfuzz_cookies = False\\nstop_on_first_exception = False\\ninterface = ppp0\\nlocal_ip_address = 10.5.6.18\\nmsf_location = /opt/metasploit3/bin/\\nform_id_list = []\\nform_id_action = exclude\\npath_max_variants = 50\\nparams_max_variants = 10\\nmax_equal_form_variants = 5\\n\\n[infrastructure.fingerprint_os]\\n\\n[audit.lfi]\\n\\n[infrastructure.afd]\\n\\n[audit.ldapi]\\n\\n[infrastructure.dot_net_errors]\\n\\n[audit.un_ssl]\\n\\n[infrastructure.shared_hosting]\\nresult_limit = 300\\n\\n[crawl.web_spider]\\nfollow_regex = .*\\nignore_regex = None\\nonly_forward = False\\n\\n[audit.ssl_certificate]\\nminExpireDays = 30\\ncaFileName = %ROOT_PATH%/plugins/audit/ssl_certificate/ca.pem\\n\\n[audit.os_commanding]\\n\\n[audit.ssi]\\n\\n[infrastructure.server_header]\\n\\n[audit.sqli]\\n\\n[grep.dot_net_event_validation]\\n\\n[audit.buffer_overflow]\\n\\n[grep.directory_indexing]\\n\\n[grep.analyze_cookies]\\n\\n[grep.get_emails]\\nonly_target_domain = True\\n\\n[grep.oracle]\\n\\n[grep.meta_tags]\\n\\n[grep.strange_http_codes]\\n\\n[audit.xpath]\\n\\n[audit.generic]\\ndiff_ratio = 0.35\\nextensive = False\\n\\n[grep.http_in_body]\\n\\n[crawl.sitemap_xml]\\n\\n[grep.file_upload]\\n\\n[infrastructure.fingerprint_WAF]\\n\\n[grep.error_500]\\n\\n[infrastructure.detect_reverse_proxy]\\n\\n[grep.lang]\\n\\n[infrastructure.server_status]\\n\\n[grep.objects]\\n\\n[infrastructure.hmap]\\ngen_fingerprint = False\\n\\n[crawl.user_dir]\\n\\n[audit.htaccess_methods]\\n\\n[crawl.oracle_discovery]\\n\\n[grep.dom_xss]\\n\\n[target]\\ntarget = \\n\\n[audit.rfi]\\nuse_w3af_site = True\\nlisten_address = \\nlisten_port = 44449\\n\\n[grep.wsdl_greper]\\n\\n[infrastructure.find_vhosts]\\n\\n[grep.http_auth_detect]\\n\\n[audit.response_splitting]\\n\\n[grep.svn_users]\\n\\n[grep.password_profiling]\\n\\n[grep.blank_body]\\n\\n[grep.error_pages]\\n\\n[audit.dav]\\n\\n[output.console]\\nverbose = True\\nuse_colors = True\\n\\n[audit.format_string]\\n\\n[infrastructure.php_eggs]\\n\\n[grep.strange_parameters]\\n\\n[crawl.robots_txt]\\n\\n[audit.global_redirect]\\n\\n[audit.xst]\\n\\n[audit.xss]\\npersistent_xss = True\\n\\n[profile]\\ndescription = The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. OWASP searched for and published the ten most common security flaws. This profile search for this top 10 security flaws. For more information about the security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project .\\nname = OWASP_TOP10\\n\\n[grep.html_comments]\\n\\n[grep.ssn]\\n\\n[grep.code_disclosure]\\n\\n[grep.private_ip]\\n\\n[crawl.phishtank]\\n\\n[http-settings]\\nproxy_port = 8080\\nurl_parameter = \\nnever_404 = \\nheaders_file = \\nproxy_address = \\nbasic_auth_domain = \\nalways_404 = \\nmax_http_retries = 2\\nntlm_auth_user = \\nntlm_auth_passwd = \\nignore_session_cookies = False\\ntimeout = 0\\nuser_agent = w3af.org\\nbasic_auth_user = \\nbasic_auth_passwd = \\nstring_match_404 = \\ncookie_jar_file = \\nntlm_auth_domain = \\nntlm_auth_url = \\nrand_user_agent = False\\nmax_file_size = 400000\\nmax_requests_per_second = 0\\n\\n[crawl.bing_spider]\\nresult_limit = 300\\n\\n[audit.file_upload]\\nextensions = gif,html\\n\\n[audit.redos]\\n\\n[crawl.web_spider]\\n\\n[grep.symfony]\\noverride = False\\n\\n[grep.form_autocomplete]\\n\\n[grep.click_jacking]\\n\\n[grep.strange_reason]\\n\\n[infrastructure.allowed_methods]\\n\\n[infrastructure.server_header]\",\"target_urls\":\"[http://ebakirmak.com]\"}"

This is file that you showed. And I am converting in C# with JsonConvert(Newtonsoft.Json).

w3af_api is showing when i make request,"POST /scans/ HTTP/1.1" 400 and response is returning empty. There isn't anything error response. Therefore i can't solved.

[andresriancho]

Could you please send me the full HTTP request and reponse?

Also, are you sure you're sending valid JSON?

[ebakirmak]

Hi there, I'm sending json in C# with PostAsync method. HTTP request => [POST] http://206.189.96.44:443/scans/ and my json is in above comment. { "target_urls":["http//google.com"],"scan_profile": File.ReadAllText(OWASP_TOP10)} I downloaded the file https://github.com/andresriancho/w3af/blob/master/profiles/OWASP_TOP10.pw3af#L191-L193 and i'm reading this file in c# with File.ReadAllText. There is my project in github and link is https://github.com/ebakirmak/W3af-API

I' didn't understand. why did it do in this way? I'm sending all of profile files one by one but i have same error.

[ebakirmak]

@andresriancho this is only a suggestion. You can't send the Profile settings with json instead of you give to json profile name. I think it would be easier to use.

[ebakirmak]

You are right. I send unvalid JSON. target_urls can be an array.

[andresriancho]

I thought about letting users send the profile name instead of the contents, but I decided to require the REST API caller to send the whole profile, that way the REST API caller has more control over the scan, even if he doesn't have access to the operating system running the API server.

[ebakirmak]

I understand. Thank you so much @andresriancho 👍