On Sun, 23 Nov 2008, Andres Riancho wrote: !! Well, w3af detects the web application vulnerabilities and exploits !! them. It's different from metasploit/canvas/impact in many ways. The !! most important one is that we don't exploit "apache" vulnerabilities !! like format strings and buffer overflows, w3af exploits the web !! application vulnerabilities.
hmm, according this definition anything in the web- or application server and anything in context of the network topology would be out of scope of w3af; in particular many anomalies in the request header (which is mainly handled by the server and not the application) should not be part of w3af as well as the WAF detection and some IDS/IDP evasion technics. Do you really mean that? I doubt. the "W" in w3af stands for web, and that starts with HTTP at any device, wether it is IDS, IPS, web or application server and also includes the backend (databases, etc.). The web application itself is just one part of this, probably the main part, though :) !! I've sent an email to the original vulnerability finder, to ask some !! things like "how many installations of PHP with the buggy PHP version !! are actually vulnerable?" (please remember that the console needs to !! be configured to support multibyte chars). And I failed to get an !! answer. Any of you know Stephan Esser and can remember him that I sent !! him an email? PHP's gpc_magic_quotes is a configuration issue of the application server (php.ini) or the application itself if set within there. Hence -acoording (my) definition of w3af- it should be checked. Just my 2 pence. Achim ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
