I totally agree that would be a great addition. w3af is missing a way to import a report of a precedent test, to see what was discovered. Having the ability to replay the exact same tests would really be a killer feature.
On Tue, Nov 3, 2009 at 7:38 AM, Andres Riancho <andres.rian...@gmail.com> wrote: > Adam, > > On Mon, Nov 2, 2009 at 6:43 PM, Adam Baldwin > <adam_bald...@ngenuity-is.com> wrote: >> I'm using w3af in a very non-interactive way and I'm looking to re-test >> for a particular finding without having to run the entire scan again >> (think re-testing for remediation). I'm looking to see if there would be >> interest in this type of feature and any input any of you may have. > > I think it is one of the must-have features that w3af is missing. The > best way of implementing this would be: > > - The w3af core should save all HTTP requests, HTTP responses and > findings in a sqlite3 database. This is already done for request and > responses by the gtkOutput plugin, but it should be integrated into > the core and findings should be added. > > - When saving the finding, the following information should be saved: > - Plugin that found it > - Finding object, the "vuln" or "info" object > - Related request/response > > - The core should support "loading" of this database > > - A "retest" method should be added to the core, which will take the > information from the finding, and re-run the tests only with the > specified plugin and to the specific URL. > > I don't think that this is a lot of work... the framework is flexible > enough to allow all of this to be developed in one day of hard work. > > If you decide to go for it, here are some comments that might help you: > > - There is a "localCache.py" urllib2 handler, which saves every > request and response to a file. I've been meaning to replace that with > a sqlite3 database. Maybe this is the time. > > - "localCache.py" and "gtkOutput" both save the same information... I > think that this is the time to remove gtkOutput, and replace sucky > file handling in localCache with sqlite3. > > - You should show the users the findings, in a simple way like this: > > [0] XSS in parameter a of script foo.php > [1] XSS in parameter b of script bar.php > [2] SQL injection in parameter spam of script eggs.py > > And then the users should perform something like: > > "retest 1" > > Which internally will call w3afCore.retest( vuln_object_1, > plugin_that_found_it, fuzzable_request) > > If you want to give it a try, please create a branch (you've got svn > access, right?) and we'll try to help you out. > > Cheers, >> -Adam >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
