Taras <ta...@securityaudit.ru> wrote:
> Automated plugins often makes webapp pentesting easily ;) And of course it is
> not full replacement for manual testing, imho.
Yes, and I'm glad we have the plugins. I wouldn't want to bruteforce directories
by hand, for example. There's many tasks that can be easily automated. I just
wanted to say that I mainly use the manual testing features w3af gives me and
run the automated plugins only to check that I didn't miss anything.
> > So I was looking at the URLs I had already gathered in the "Results" tab of
> > the GUI (with spiderMan) and noticed that the search function is actually
> > quite limited. I cannot search in request bodies (e.g. POST data) and I
> > cannot search in responses at all.
> >
> > Having a look at the code saving the requests and responses and the
> > persist.py sources tells me why: because the request and response object are
> > stored as pickled blobs of data in the database. This is of course
> > unfortunate if you want to search in their data.
>
> Yes, but we have special separate colunms for search (id, url, code). By the
> way, at the moment I rewrite w3af DB interface for more complex data access.
> And soon these changes will be in svn.
I know about the id, url and code columns, but they only give you a limited way
of searching. So what are your current plans for the DB interface? Anything to
see in the SVN already?
> > - What would you say: would it be a good idea to code the possibility into
> > w3af to search in _all_ of the request and response data?
> Hm, what about big data? It seems to be more slower. What kind of data to you
> want to search in request/response? Examples?
I want to be able to search in the request and response bodies as well as all of
the headers. One example: I had a web app which always gave me a 200 OK
regardless what I sent, but had an error message in the response body. I
would've liked to search for the error string in all response bodies, to see
what inputs triggered errors. Or maybe I have sent many requests with
different POST data and later I want to check on all requests where e.g. one
parameter I sent is always the same, like a username. I guess there's many more
examples on where this would be useful.
WebScarab for example gives you direct access to all request and response
objects. This means that you have to write snippets of Java code to access and
search them, but it gives you full access to all data stored in the objects.
> > - Is there already work done in this area?
> At the moment I rewrite DB backend so I can easily make improvements.
Sounds good, tell me more :).
> > - Can you think of any pitfalls or suggestions you may have before I go and
> > code sth. up, if we agree that this would be nice to have? E.g., performance
> > issues? - How's the general development of the database persistence feature
> > coming along? The code tells me for example that I will be able to set the
> > database name, but the feature doesn't seem to be activated in the (gtk)UI.
> > Along the same lines, I see that there's already code to load a database on
> > startup, but that doesn't seem to be activated, too.
> Do you want to set DB file path in GUI?
I just saw that there's already code in gtkOutput.py which loads a saved db from
the kb and I noticed that the name of the session is saved in targetSettings.py,
but can't be set from the GUI, which I guess would be rather trivial to
implement. So I was wondering if this is work actively in progress or if it's
something to be done later.
Patrick
--
The Plague: You wanted to know who I am, Zero Cool? Well, let me explain
the New World Order. Governments and corporations need people
like you and me. We are Samurai... the Keyboard Cowboys... and
all those other people who have no idea what's going on are
the cattle... Moooo.
(Hackers)
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
