Hi, Patrick! > I use w3af more for its manual testing abilities than for the whole automated > stuff, which is why I'm mostly interested in the spiderMan plugin / the proxy > taras is currently writing. Not that I think the automated plugins are bad, I > just don't use them much, if at all.
Automated plugins often makes webapp pentesting easily ;) And of course it is not full replacement for manual testing, imho. > > So I was looking at the URLs I had already gathered in the "Results" tab of > the > GUI (with spiderMan) and noticed that the search function is actually quite > limited. I cannot search in request bodies (e.g. POST data) and I cannot > search > in responses at all. > > Having a look at the code saving the requests and responses and the persist.py > sources tells me why: because the request and response object are stored as > pickled blobs of data in the database. This is of course unfortunate if you > want to search in their data. Yes, but we have special separate colunms for search (id, url, code). By the way, at the moment I rewrite w3af DB interface for more complex data access. And soon these changes will be in svn. > So my question are: > > - What would you say: would it be a good idea to code the possibility into > w3af > to search in _all_ of the request and response data? Hm, what about big data? It seems to be more slower. What kind of data to you want to search in request/response? Examples? > - Is there already work done in this area? At the moment I rewrite DB backend so I can easily make improvements. > - Can you think of any pitfalls or suggestions you may have before I go and > code > sth. up, if we agree that this would be nice to have? E.g., performance > issues? > - How's the general development of the database persistence feature coming > along? The code tells me for example that I will be able to set the database > name, but the feature doesn't seem to be activated in the (gtk)UI. Along the > same lines, I see that there's already code to load a database on startup, > but > that doesn't seem to be activated, too. Do you want to set DB file path in GUI? -- Taras ---- "Software is like sex: it's better when it's free." - Linus Torvalds
pgpnDw2MqKfhW.pgp
Description: PGP signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
