Andres Riancho wrote:
>>> - In a section of the code it reads: "See the preferences section for
>>> w3af options.", what are those options? How could I read them?
>> Currently, you can only set profile (it's full_audit by default) and
>> verboseness is automatically set if you set verbose globally in OpenVAS. I
>> hope to implement much more features/options...
>> If you think some feature should be immediately implemented, feel free to
>> suggest :)
> hmmm, if the script_timeout variable is set to something reasonable,
> then for now I do not have any other options.
There is "thorough scan" option in OpenVAS which could run w3af in
full_audit mode without timeouts set. As I don't like timeouts in sense
of time. Is there any "sane" default for normal scan in terms of items
scanned or something like that which you would recommend? i.e. scanning
only 3 levels deep on web servers, scanning only first 1000 URls found
or something like that?
>>> - "script_require_ports("Services/www", 80);", actually, w3af can
>>> launch a scan on any port that has an HTTP daemon. I don't really know
>>> if this situation is covered by these other lines or not:
>> Services/www means: any web server found (regardless of http/https).
>> 80 means as fallback, if port 80 is open...
> Ok, nice.
> Nice, I'm starting to like openvas even more ;)
Nice thing is that actually, the script will run itself on all www ports
itself without any additional logic (i.e. if web ports are found on port
80,443,8080 and 8000 = the script would run on all of them). That
reminded me to fix the bug in filename generation - Thanks! :-)
>>> I think that adding w3af to openvas is a good idea, it will give you
>>> guys some advantages over nessus, and on the other side, w3af will be
>>> more widespread. The only problem I see is that openvas users could be
>>> inclined to think that running w3af inside openvas is "100% accurate",
>>> which is not, because openvas will only be able to show some of w3af's
>>> settings, features, etc.
>> Anyway, people using automatic scanners should be aware that the scanner is
>> only there to help... We can put some kind of disclaimer if you think will
>> help (in description of plugin or/and report).
> Yes, I would appreciate that.
Done.
Kost
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
