Taras,
Please read inline. I was unable to answer because I was on
vacations, but today is my first day of work, so... here it goes:
On Tue, Mar 22, 2011 at 10:18 PM, Taras <ox...@oxdef.info> wrote:
> Hi, all!
>
> Recent days I thought about usage of w3af in enterprise level.
Ok,
> What things do I need for the current moment and think that it can be
> good base for the future:
> 1. web based UI to schedule scans and profile management with
> multiuser support
> 2. support for custom URL formats of web applications (at least URL
> rewrite)
> 3. more convenient login sequences feature
> 4. convenient way to test AJAX heavy usage applications (e.g.
> GMail)
Oh, this goes well beyond a web UI ! I think that if we solve all
the points you mention in this email we could be easily competing with
any commercial solution out there :P
I would tackle one by one, as they are completely different
sections of code and developer skills that need to be modified and
used.
> My technical suggestions:
> 1. very simple web UI with LDAP support and notifications. We can
> use Django for it
Sounds easy, but it's not. We need to decide what the web UI will
have, if it will compete with the GTK user interface or not in
features (would you have all the same tabs and information in both?)
or would the webUI be something VERY simplistic where you would only
be able to launch a scan and see the report?
> 2. we can implement support for URL patterns like
> '/app/controller/action/%d' so w3af will understand which part
> of URL can be fuzzed and understand that such URL in modern web
> world is not file system path.
Totally doable within our framework, we just need to decide that
this is important and implement it.
> 3. we can add login files (auth requests + special URL/pattern to
> check session) and we can generate such sequences with our MITM
> proxy tool. IMHO, it is most clear task from my list.
Not sure if I followed you here. What you want to do is to log all
login requests and patterns to identify logged-in / logged-out to a
file using the MITM proxy so that information is used in the web UI ?
> 4. we can integrate into web UI proxy management (tester use this
> proxy to navigate through testing app so w3af will collect all
> requests for this app) and make special output plugin which will
> store in file all requests. Then we can use this file with
> already existing importResults plugin plus auth seq to test even
> such web applications like GMail automatically.
I like this idea, and I think it's kind of related with this
ticket [0]. What I would recommend doing is:
- Fix [0]
- Give the user a clear indication of where the sqlite DB with all the
request and responses is stored (this includes scan information and
proxy data)
- Modify the importResults to support this DB format
[0] http://sourceforge.net/apps/trac/w3af/ticket/149255
> These are my common points to discuss :)
I think all of these points are too many to discuss in the same
branch. All of them are interesting, but if we work on all at the same
time we won't accomplish anything. It sounds like the web UI is the
more important to you now. If so, lets go that way and start working
on what we want to do, how, etc.
> P.S. I has made separate branch for experiments.
>
>
> On Tue, 2011-03-22 at 14:47 -0300, Andres Riancho wrote:
>> I think that before even starting a massive project like this one, we
>> should have a discussion in w3af-develop about technology, objectives,
>> etc. Would you mind starting the discussion?
>>
>> On Mon, Mar 21, 2011 at 1:45 PM, <ox...@users.sourceforge.net> wrote:
>> > Revision: 4087
>> > http://w3af.svn.sourceforge.net/w3af/?rev=4087&view=rev
>> > Author: oxdef
>> > Date: 2011-03-21 16:45:13 +0000 (Mon, 21 Mar 2011)
>> >
>> > Log Message:
>> > -----------
>> > Lets think about web UI for w3af
>> >
>> > Added Paths:
>> > -----------
>> > branches/webui/
>
>
> --
> Taras
> http://oxdef.info
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
