I'll answer to this email thread in about 6 hours. I know it seems that I've been ignoring you guys, but I'll have the time later.
Thanks, On Fri, Mar 5, 2010 at 8:28 AM, Steve Pinkham <steve.pink...@gmail.com> wrote: > Martin Holst Swende wrote: >> Perhaps some brainstorming on the list about what goals would be >> interesting could be in place? For example, for nmap, both the Zenmap >> gui and the Nmap Scripting Engine started as GSoC projects. Defining >> some feature that is somewhat separated is probably better than general >> tasks. >> >> Some ideas : >> - Database persistence >> - Lucene indexing/text searching of data >> - Robust interface with Selenium/Xulrunner/foo so plugins can more >> easily integrate with and test html/js closer to the browser (what Taras >> already has begun - I don't know how generic or complete that is - >> haven't looked at it, only noted in the mailing that it reached a PoC) >> >> /Martin >> > > My wishlist, most of which seem to depend on Martin's database > persistence idea: > > -Import and export of discovered URLs and parameters. For now, reading > burp logs and parsing out the URLs and parameters would cover my > particular use case. Defining a standard format for sharing that > information would be a more ambitious goal. > > -Ability to continue a stopped scan. I work with some customers who use > s URLSCAN, and w3af sometimes incorrectly takes the failure codes it > emits as evidence that the site is broken. When it stops the scan, > there is no apparent way to restart it, and many hours of scanning can > be lost. There should be a way to tell it to skip this dir or request > and continue on the rest of the site. > > -Login/logout detection, with the ability to redo the requests since the > last known logged in point. Without this, it's hard to trust w3af on a > site with login. Commercial tools do this, and it's a major advantage. > You need to train the scanner what a certain page looks like if you are > logged or logged out, then the scanner can be confident that it hasn't > been logged out by accident or website policy. > > -Multi-step process automation. A common pain point for us is attacking > multi-step processes. Some of the commercial scanners let you train > them on what a multi-step process looks like, and then automatically go > through the whole process multiple times, fuzzing one record per run. > Doing this by hand on 10 page loan applications sucks. ;-) > > -Make it use less memory, be faster, and not crash. I guess that's not > really a specific work item, eh? ;-) > > > Steve > -- > | Steven Pinkham, Security Researcher | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
