w3af interpreting output

xengine · September 15, 2013, 07:23:50 PM

Hi, i want to start discussion section on correctly interpreting and general question answer thread regarding w3af for knowledge base. There is sheer lack in explanation of various outputs that is a result of various plugins for tester and web developers. I am a tester and developer as well understanding some of the anomalies might be crucial info.

That being said i am starting with password profiling test on my web server i dont know how do i interpret these if someone can help

http://pastebin.com/vuGZYXbg

P.S. Use pastebin for outputs.

weVeg · September 15, 2013, 08:34:00 PM

that plugin tell you the repetitions of word inside pages source code.... As w3af tell you," this plugin creates a list of possible password py reading responses and counting the most common words"

cheers!

xengine · September 16, 2013, 09:09:57 PM

thanx veWeg, there are a lot of question :) so there is more... followed by is an output mentioning debug
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] GET http://127.0.0.1/manager/html returned HTTP code "401" - id: 33
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] "http://127.0.0.1/manager/html" (id:33) is a 404 [similarity_index > 0.9]
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] GET http://127.0.0.1/ returned HTTP code "200" - id: 36
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] GET http://127.0.0.1/tomcat-docs returned HTTP code "404" - id: 34
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] "http://127.0.0.1/" (id:36) is NOT a 404 [similarity_index < 0.9].
[Wed 28 Aug 2013 02:17:26 PM CEST - debug] Adding relative reference "http://127.0.0.1/" to the result.
[Wed 28 Aug 2013 02:17:27 PM CEST - debug] GET http://127.0.0.1/tomcat-power.gif returned HTTP code "200" - id: 35
[Wed 28 Aug 2013 02:17:27 PM CEST - debug] "http://127.0.0.1/tomcat-power.gif" (id:35) is NOT a 404

"debug" doesn't come always but it comes sometimes i dont know why perhaps it has to do something with when i am testing the live webserver i dont find it there but i find when i am testing offline. Secondly, can we consider code "200" as a false positive for xss case or it should be tested to the extent that server should return those sources in accessible???

And my second question is or you can say i want to confirm my observation that running xss, redos or anyother plugins that mostly relates to injection or fuzzing there are two major patterns in the output "list of injectable urls " and "fuzzable" besides path disclosure and empty body which naturally gave different output.

And lastly in the following output is about two plugins path disclosure and empty body, how do i interpret path disclosure /lib/driver.jar as disclosure of java packages potentially serious or really a serious flaw also the same goes to empty body specially those around /etc/passwd:

http://pastebin.com/pMQTS9Cs

P.S. Pls use pastebin.com for outputs

weVeg · September 17, 2013, 03:31:18 AM

Hi! Really I don't know! You should ask to w3af developer!

ZEROF · September 17, 2013, 04:37:38 AM

Hi,

Like you said to us, as tester and developer you need to know that only software developer can be informed when tester comes out with "issues" coming directly from software and not from OS developers. We can dig deep as you, and we will find even more bugs, but as you may know all tools was made for testing and to touch perfection with pentesting tool it was almost impossible last 12 years.

Systems are updated almost every day and what we call testing platform was never made to point. Every tool we use our days need and will be updated one day or never. When hacker/pentester find issues he will exploit every part of it, but software providers will update their product as well.

From this part of conversation and my point of view, you need to contact software support and when you find solution please share with us, and whole world.

Thank you for taking your time and we will be glad to assist you in future.

After all i have few questions for you.

1. Do you have your own password list ? (many tools can help you with this, tool made by TAPE (WLM) or CUPP tool)?
2. What you want do to exactly ?
3. Do you know any tool except w3af that can do that for you ?

Cheers!

xengine · September 17, 2013, 09:53:50 PM

thanx zerof for the input....!! well debug was not a problem i was just asking if somebody exactly knew why program throws when checking some plugin and i realize yes this problem concerns with the w3af support team......ANYWAY.... but there are bigger question which really weighs more than this if you can kindly answer those which are mention with output. Yes i have my wordlist its no prob finding huge common lists is also no prob for HYDRA i wanted to test Bruteforce side effects like DoS, i can choose nessus or openvas for testing embedded webserver but i want to write my script 1st analyze and produce common attack intelligently that's why w3af became my choice because of comprehensive open source scripts to play with. If you happen to know other please share.

ZEROF · September 18, 2013, 01:52:48 AM

Hi xengine,

You don't give straight answer to my question. What the hell you want to do? I'm not in your place drinking soda and playing game with you (First you need to send invitation:) ). If you are looking for web application scanners you have a lot of solution for free (or paid services).

Some you can try arachni, skipfish, wapiti, vega etc ...

Cheers !

xengine · September 19, 2013, 01:19:57 AM

zerof thanx for sharing wapiti etc....I thing i pretty much answer all your questions what do you want...to ....paswd list...i asked for help in regarding just the analysis of my 2nd comment on path disclosures and empty bodies with regards to output if you can kindly help with that IF YOU HAVE TIME to lend insight it is just classifying what is what. As again i have mentioned my goal i just need few analysis to complete the goal. I need to differentiate between potential and seriously flaws 1st to say the least, i am testing in a limited environment of embedded webserver, i hope you get my point this time. :)