Kevin,
On Mon, Dec 15, 2008 at 7:17 AM, Muffys Wump <muff...@hotmail.com> wrote:
>
> Hi everyone,
>
> I wrote a xml output plugin for further automation of w3af scan results.
> I'm going to commit this if everyone is okey with the overall xml structure
> (see the report.xml attachment). Debug messages can be disabled.
Once again, thanks for an excellent contribution =)
Some comments:
- I think that w3af should provide only one single way of writing an
HTTP log to a file, so the xmlFile plugin should have a "pass" as the
implementation for the "logHttp" method. And all the things related to
that feature should be removed from the plugin. Users should know that
THE way of writing HTTP request and responses to a file is using
textFile plugin. Also, if we keep this feature in both plugins, and in
the feature one plugin changes the way of doing it... we'll have two
different formats for the output file that handles HTTP logs! (which
sucks!)
- "self._reportDebug = False" is a good choice.
- Please try to use underscore separated variables and method names
- Writing the XML file this way:
# Add additional information results
for node in self._consoleXML:
self._topElement.appendChild(node)
for node in self._debugXML:
self._topElement.appendChild(node)
for node in self._errorXML:
self._topElement.appendChild(node)
Will confuse people, because items are going to be out of order!
People don't expect grouped messages, they expect to see events as
they happen, mixed. The solution would be to do something like this:
# Add additional information results
for node in self._general_list:
self._topElement.appendChild(node)
Or even better... why don't we DIRECTLY write to _topElement inside
each "information", "debug", etc method? If we write directly to the
_topElement, we are going to be saving some memory because things are
written to the file, right? If not... is there a way to write things
to the file and not store them in memory?
- This line doesn't look really nice:
<scaninfo plugins="xss,w3afCore,baseGrepPlugin,baseAuditPlugin,sqli"
target="http://localhost/vuln/index.php"/>
xss, w3afCore and baseGrepPlugin mixed in the same line? It makes no
sense to me as a developer, and it will make no sense for the users
either. Maybe the scan info should look like:
<scaninfo target="http://localhost/vuln/index.php";>
<audit>
<plugin name="xss">
<config parameter="abc" value="def"/>
<config parameter="ddd" value="1"/>
</plugin>
</audit>
...
</scaninfo>
Your contribution was really good, but it needs some work, right now I
don't have more time to test the plugin :(
Please try to fix the items in my list, and then re-post the results
here. THANK YOU!
Cheers,
> Cheers,
> Kevin
>
> _________________________________________________________________
> Discover the new Windows Vista
> http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
> ------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
> The future of the web can't happen without you. Join us at MIX09 to help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
