Martin Holst Swende wrote: > Perhaps some brainstorming on the list about what goals would be > interesting could be in place? For example, for nmap, both the Zenmap > gui and the Nmap Scripting Engine started as GSoC projects. Defining > some feature that is somewhat separated is probably better than general > tasks. > > Some ideas : > - Database persistence > - Lucene indexing/text searching of data > - Robust interface with Selenium/Xulrunner/foo so plugins can more > easily integrate with and test html/js closer to the browser (what Taras > already has begun - I don't know how generic or complete that is - > haven't looked at it, only noted in the mailing that it reached a PoC) > > /Martin >
My wishlist, most of which seem to depend on Martin's database persistence idea: -Import and export of discovered URLs and parameters. For now, reading burp logs and parsing out the URLs and parameters would cover my particular use case. Defining a standard format for sharing that information would be a more ambitious goal. -Ability to continue a stopped scan. I work with some customers who use s URLSCAN, and w3af sometimes incorrectly takes the failure codes it emits as evidence that the site is broken. When it stops the scan, there is no apparent way to restart it, and many hours of scanning can be lost. There should be a way to tell it to skip this dir or request and continue on the rest of the site. -Login/logout detection, with the ability to redo the requests since the last known logged in point. Without this, it's hard to trust w3af on a site with login. Commercial tools do this, and it's a major advantage. You need to train the scanner what a certain page looks like if you are logged or logged out, then the scanner can be confident that it hasn't been logged out by accident or website policy. -Multi-step process automation. A common pain point for us is attacking multi-step processes. Some of the commercial scanners let you train them on what a multi-step process looks like, and then automatically go through the whole process multiple times, fuzzing one record per run. Doing this by hand on 10 page loan applications sucks. ;-) -Make it use less memory, be faster, and not crash. I guess that's not really a specific work item, eh? ;-) Steve -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
