search

andresriancho / w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.
http://w3af.org/
4.58k stars 1.22k forks source link

Target URL out SCOPE #6721

Closed ST2Labs closed 9 years ago

ST2Labs commented 9 years ago

Example: URL www.upo.es

Target: URL: www.upo.es Correct SCOPE: http://www.upo.es/portal/impe/web/portada

Problem:

w3af doesn't detect correct SCOPE from Target URL introduced, if analized a traffic HTTP with target, there are two server, fisrt server make a 302 to correct SCOPE, but w3af not update SCOPE and w3af going on testing the first URL introduced.

Then the test more long than 24h (sometime less) with incomplete or error results.

Maybe if HTTP redirects are checked (3xx) | Could manage the problem and detect correct SCOPE.

andresriancho commented 9 years ago

Could you show me the HTTP traffic associated with w3af sending HTTP requests to a domain outside the one set in the target URL?

Were you able to debug which plugin is sending it?

ST2Labs commented 9 years ago

[+]

Using WhatWEB tools

/WhatWeb$ ./descubre.sh www.upo.es > started for http://www.upo.es http://www.upo.es [HTTP CODE: 302] RedirectLocation[http://www.upo.es/portal/], Title [302 Found] http://www.upo.es/portal/ [HTTP CODE: 302] http://www.upo.es/portal/ [HTTP CODE: 302] RedirectLocation[http://www.upo.es/portal/impe/web/portada], Title[302 Found]

RedirectLocation ----------------------------------------------------------- Description: HTTP Server string location. used with http-status 301 and 302 String : http://www.upo.es/portal/impe/web/portada (from location)

http://www.upo.es/portal/impe/web/portada [HTTP CODE: 200]

ST2Labs commented 9 years ago

Hola Andres,

Estoy haciendo unas pruebas con w3af para determinar si detecta o no correctamente el SCOPE (URL target dentro del mismo dominio).

TEST1: URL: http://www.upo.es/portal/impe/web/portada

Output TXT web_spider solo sale esto:

[ Mon Dec 15 13:24:20 2014 - Enabled plugins ] crawl web_spider [ Mon Dec 15 13:24:20 2014 - Enabled plugins ] crawl config web_spider [Mon Dec 15 13:24:31 2014 - debug] web_spider plugin is testing: "Method: GET | http://www.upo.es/portal/impe/web/portada/" [Mon Dec 15 13:24:31 2014 - debug] Called _discover_worker(web_spider, http://www.upo.es/portal/impe/web/portada/) [Mon Dec 15 13:24:31 2014 - debug] Starting plugin: crawl.web_spider [Mon Dec 15 13:24:31 2014 - debug] web_spider is testing " http://www.upo.es/portal/impe/web/portada/"

TEST 2: URL: www.upo.es

OUTPUT

_New URL found by webspider plugin: "http://www.upo.es/postgrado/Formacion-Especializada-en-Community-Manager-Redes-sociales-y-Marketing-Digital http://www.upo.es/postgrado/Formacion-Especializada-en-Community-Manager-Redes-sociales-y-Marketing-Digital" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Formacion-Especializada-en-Planes-de-Autoproteccion-online http://www.upo.es/postgrado/Formacion-Especializada-en-Planes-de-Autoproteccion-online" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Formacion-Especializada-en-Intervencion-en-Casos-de-Drogadiccion http://www.upo.es/postgrado/Formacion-Especializada-en-Intervencion-en-Casos-de-Drogadiccion" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Formacion-Especializada-en-Tutor-E-Learning http://www.upo.es/postgrado/Formacion-Especializada-en-Tutor-E-Learning" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Formacion-Especializada-en-Intervencion-en-Casos-de-Violencia-de-Genero http://www.upo.es/postgrado/Formacion-Especializada-en-Intervencion-en-Casos-de-Violencia-de-Genero" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Experto-Alimentacion-y-Nutricion-Humana-I-Ed-imparticion http://www.upo.es/postgrado/Experto-Alimentacion-y-Nutricion-Humana-I-Ed-imparticion" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Experto-Direccion-y-Gestion-Hostelera http://www.upo.es/postgrado/Experto-Direccion-y-Gestion-Hostelera" _New URL found by webspider plugin: "http://www.upo.es/postgrado/Master-en-Cloud-Business http://www.upo.es/postgrado/Master-en-Cloud-Business" _New URL found by webspider plugin: "http://www.upo.es/portal/impe/web/manejadorFirma http://www.upo.es/portal/impe/web/manejadorFirma" _New URL found by webspider plugin: "http://www.upo.es/portal/impe/web/web http://www.upo.es/portal/impe/web/web" _New URL found by webspider plugin: "http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88 http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88" _New URL found by webspider plugin: "http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88 http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88" _New URL found by webspider plugin: "http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88 http://www.upo.es/portal/impe/web/contenido/20433861-4442-11de-819e-3fe5a96f4a88"

Todavía en ejecución fase crawler.

Saludos.

Julián González Ingeniero Telecomunicaciones especialista en Seguridad de la Información CISA http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx, GPEN http://www.giac.org/certification/penetration-tester-gpen, GCIH http://www.giac.org/certification/certified-incident-handler-gcih, ITIL v2/3

e-mail: julian.gonzalez@seguridadparatodos.es julian.gonzalez@seguridadparatodos.es www.st2labs.com

2014-12-15 13:12 GMT+01:00 Andres Riancho notifications@github.com:

Closed #6721 https://github.com/andresriancho/w3af/issues/6721.

— Reply to this email directly or view it on GitHub https://github.com/andresriancho/w3af/issues/6721#event-207567983.

andresriancho commented 9 years ago

You have only forward set in your web_spider, remove that and it will work.

ST2Labs commented 9 years ago

OK

Julián González Ingeniero Telecomunicaciones especialista en Seguridad de la Información CISA http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx, GPEN http://www.giac.org/certification/penetration-tester-gpen, GCIH http://www.giac.org/certification/certified-incident-handler-gcih, ITIL v2/3

e-mail: julian.gonzalez@seguridadparatodos.es julian.gonzalez@seguridadparatodos.es www.st2labs.com

2014-12-15 13:40 GMT+01:00 Andres Riancho notifications@github.com:

You have only forward set in your web_spider, remove that and it will work.

— Reply to this email directly or view it on GitHub https://github.com/andresriancho/w3af/issues/6721#issuecomment-66988619.

ST2Labs commented 9 years ago

Upps!

w3af - Web Application Attack and Audit Framework Version: 1.6.0.5 Revision: 91676ffe93 - 13 Nov 2014 14:54 Branch: master Local changes: No Author: Andres Riancho and the w3af team.

TEST 2: www.upo.es

Script

target set target www.upo.es http://www.upo.es back plugins _grep ajax, click_jacking, analyze_cookies, directory_indexing, error_pages, hash_analysis, html_comments, path_disclosure, private_ip, strange_headers,xss_protection_header,strangereason _infrastructure afd, allowed_methods, find_vhosts, fingerprint_WAF, fingerprint_os, hmap, php_eggs, server_status, serverheader _crawl webspider _crawl config webspider _set onlyforward true back _audit csrf, format_string, generic, htaccess_methods, os_commanding, sqli, ssi, ssl_certificate, unssl, xpath, xss, xst _output text_file, html_file, xmlfile _output config textfile _set outputfile upo.es2.txt _set http_outputfile upo.es2-http.txt set verbose True back _output config htmlfile _set outputfile upo.es2.html back _output config xmlfile _set outputfile upo.es2.xml back back http-settings set timeout 35 _set useragent ACS Geko 6.0 back misc-settings _set max_discoverytime 10 _set fuzz_formfiles false back start exit

Error:

Exception in thread ConsoleScanThread: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 552, in bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 505, in run self.__target(_self.args, *_self.kwargs) File "/usr/share/w3af/w3af/core/ui/console/rootMenu.py", line 124, in _real_start self._w3af.start() File "/usr/share/w3af/w3af/core/controllers/w3afCore.py", line 231, in start self.scan_end_hook() File "/usr/share/w3af/w3af/core/controllers/w3afCore.py", line 405, in scan_end_hook om.out.end_output_plugins() File "/usr/share/w3af/w3af/core/controllers/output_manager.py", line 138, in end_output_plugins self.end_output_plugins_impl() File "/usr/share/w3af/w3af/core/controllers/output_manager.py", line 149, in __end_output_plugins_impl o_plugin.end() File "/usr/share/w3af/w3af/plugins/output/html_file.py", line 309, in end severity)) UnicodeDecodeError: 'ascii' codec can't decode byte 0xe1 in position 279: ordinal not in range(128)

Saludos.

Julián González Ingeniero Telecomunicaciones especialista en Seguridad de la Información CISA http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx, GPEN http://www.giac.org/certification/penetration-tester-gpen, GCIH http://www.giac.org/certification/certified-incident-handler-gcih, ITIL v2/3

e-mail: julian.gonzalez@seguridadparatodos.es julian.gonzalez@seguridadparatodos.es www.st2labs.com

El 15 de diciembre de 2014, 13:40, Julian González < julian.gonzalez@seguridadparatodos.es> escribió:

OK

Julián González Ingeniero Telecomunicaciones especialista en Seguridad de la Información CISA http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx, GPEN http://www.giac.org/certification/penetration-tester-gpen, GCIH http://www.giac.org/certification/certified-incident-handler-gcih, ITIL v2/3

e-mail: julian.gonzalez@seguridadparatodos.es julian.gonzalez@seguridadparatodos.es www.st2labs.com

2014-12-15 13:40 GMT+01:00 Andres Riancho notifications@github.com:

You have only forward set in your web_spider, remove that and it will work.

— Reply to this email directly or view it on GitHub https://github.com/andresriancho/w3af/issues/6721#issuecomment-66988619 .