w3af
w3af copied to clipboard
andresriancho
python-webkit not maintained
Hi, w3af depends on python-webkit which is no longer maintained upstream (last update was in 2010). The package python-webkit has been removed from debian testing recently (and should be removed from kali-rolling soon): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790218 Can we get rid of that dependency? What would break if we drop it? Is there an alternative which is correctly maintained?
Unless you are wiling to take over python-webkit (see https://github.com/jmalonzo/pywebkitgtk), we must find a way to get rid of it.
Thank you for considering.
@sbrun thanks for reporting this.
That library is mainly used in:
-
./w3af/core/ui/gui/rrviews/rendering.pywhere it is optional. If the library is not present the GUI will still work as expected. -
./w3af/core/ui/gui/scanrun.pywhere it's a required library. We use it for rendering HTML (doh!)
I'm not willing to take over python-webkit, I'm trying to reduce my workload, not increase it :)
I was unable to find an alternative in 5 minutes of Google searching. I should search more and find a way to solve this issue.
Something else to do is:
- Search all debian packages using
python-webkit - See how they solved the issue
Well, since the issue hasn't been fixed yet, the scenario has happened and python-webkit got removed from Debian and Kali Linux this is the fix I came up with (which I found nowhere on the web): Download and install it manually: https://pkgs.org/download/python-webkit ...
Or if you're lazy and using Kali just C&P this:
wget http://ftp.br.debian.org/debian/pool/main/p/pywebkitgtk/python-webkit_1.1.8-2_i386.deb
sudo dpkg -i python-webkit_1.1.8-2_i386.deb
It's probably not advisable to keep that old library in the long run, it wouldn't get the usual security updates that go into Chrome or other Webkit browsers regularly.
If you're needing to use the Webkit Webview in Python, it looks like the package you want to install is:
sudo apt-get install gir1.2-webkit-3.0 python-gi
If you want to see how to use these packages in a simple example, check this out: https://gist.github.com/kklimonda/890640
Apparently since GTK3+ all these need to be imported with "from gi.repository import..." the GTK library, and if you use the older syntax it will not work in the latest Debian/Ubuntu versions.
I found my way to this page as I attempted to run the pushbullet-indicator on Debian 9.3 where the python-webkit is not available, which is otherwise necessary to run pushbullet-indicator.
sudo apt-get install gir1.2-webkit-3.0 python-gi
Solved the issue.
THANKYS @programmin1
@andresriancho Any chance scanrun.py could be transitioned to something else (like gir1.2-webkit-3.0), provided it'll work on MacOS too? Had a difficult enough time trying to get w3af_gui working on Ubuntu, and couldn't get it to work on MacOS at all.
Workaround for Fedora 27
Look for some package that provides the missing libraries
$ sudo dnf provides "*"/libwebkitgtk-1.0.so.0
$ sudo dnf provides "*"/libjavascriptcoregtk-1.0.so.0
Verify that any of the packages listed above is installed
$ rpm -q gnucash
gnucash-2.6.18-1.fc27.x86_64
Then create the symbolic links of the missing libraries
$ sudo ln -s /usr/lib64/gnucash/libwebkitgtk-1.0.so.0 /lib64/libwebkitgtk-1.0.so.0
$ sudo ln -s /usr/lib64/gnucash/libjavascriptcoregtk-1.0.so.0 /lib64/libjavascriptcoregtk-1.0.so.0
This could easily be solved if w3af were released as a Snap (and/or Flatpak). Then all the dependencies could be held together without affecting the operating system.
I managed to get it working on 64 bit Elementary OS, I had to fetch python-support and python-webkit from here:
http://ftp.br.debian.org/debian/pool/main/p/python-support/
and here:
http://ftp.br.debian.org/debian/pool/main/p/pywebkitgtk/
This is not helpful. I'm using Gentoo / Pentoo. No wonder on one in Pentoo is bothering to keep w3af more current... But, https://wiki.python.org/moin/PythonWebKit has a git link to a source repo that might be usesful, though I haven't yet finished cloning it. The download is quite slow and somewhat large...
Uh oh! This is a bummer... I can't seem to find any replacement library on macOS Mojave, and this prevents running the w3af gui. Any update?
I gave up trying to cope with the dependency problems on Kali and installed Ubuntu because the getting started page says that's where w3af is tested. Most of the installation was smoother there, but I am still up against the webkit problem. I tried downloading the package and installing it, but then I get
dpkg: dependency problems prevent configuration of python-webkit: python-webkit depends on libjavascriptcoregtk-1.0-0 (>= 1.5.1); however: Package libjavascriptcoregtk-1.0-0 is not installed. python-webkit depends on libpango1.0-0 (>= 1.14.0); however: Package libpango1.0-0 is not installed. python-webkit depends on libwebkitgtk-1.0-0 (>= 1.3.10); however: Package libwebkitgtk-1.0-0 is not installed. python-webkit depends on python-support (>= 0.90.0); however: Package python-support is not installed.
dpkg: error processing package python-webkit (--install): dependency problems - leaving unconfigured Errors were encountered while processing: python-webkit
I've spent some hours now trying to install this and would welcome help.
That is an ooold version of webkit. Webkit2 api has been available for some time, and you can see some of the differences in my app as an example. along with dependencies here - in particular, I think gir1.2-webkit2-4.0 and python-gi are what you want.
Thanks! That makes sense, and I was able to install them. But w3af appears to insist on the old version:
~/w3af$ ./w3af_gui w3af's requirements are not met, one or more third-party libraries need to be installed.
On Ubuntu 18.04 systems please install the following operating system packages before running the pip installer: sudo apt-get -y install python-webkit
Sounds like the source code needs to be changed - should not be using such an old webkit interface.
:) Agreed. And because
- this problem was reported (at the top of this thread) in 2016 and
- acknowledged very promptly by the developer and
- remains unchanged in 2019 even after other reports of the problem I'm ready to conclude w3af is no longer supported.
(Contrary evidence: the source repository shows recent activity, though not by the developer, so evidently someone(s) is/are still able to use it.)
Yeah, having the same problem here, trying all approaches to face the webkit issue, tried the solutions provided by guys on this topic but w3af still asking for the old version, and since the developer just ignores everyone I guess this is it for w3af and I'll have to look for another tool
Yeah, having the same problem here, trying all approaches to face the webkit issue, tried the solutions provided by guys on this topic but w3af still asking for the old version, and since the developer just ignores everyone I guess this is it for w3af and I'll have to look for another tool
any suggestion for other tool please?
Looks like someone else had the same question, and the answer was OWASP ZAP. This paper was considering only free solutions though.
https://www.pnsqc.org/wp-content/uploads/2019/10/Myers-Starting-a-Security-Program-on-a-Shoestring.pdf
I've been trying to fix this issue on a number of different occasions because I thought W3AF looked really promising. Unfortunately I've had to give up and go with OWASP ZAP and Metasploit instead. [cc @and8eye ]
Hello everyone! I solved the issue in ubuntu 18.04 by installing some of the packages above and finally installing the python-webkit_1.1.8-3.1_amd64.deb package with dpkg followed by apt --fix-broken install to grab the dependencies.
sudo apt-get install gir1.2-webkit-3.0 python-gi
was the command to grab the other webkit dependencies for the w3af_install script to work.
On Ubuntu Bionic I got python-webkit by adding a Xenial repo to my apt sources.list like this:
https://stackoverflow.com/questions/59896970/how-to-install-python-webkit-and-python-webkit-dev-in-ubuntu-18-04
I used a local mirror though.
