Andres, please read inline.
On Wed, 2011-04-06 at 17:25 +0200, Andres Riancho wrote:
> Taras,
>
> Please read inline. I was unable to answer because I was on
> vacations, but today is my first day of work, so... here it goes:
O, vacations! Hope they were perfect ;)
>
> On Tue, Mar 22, 2011 at 10:18 PM, Taras <ox...@oxdef.info> wrote:
> > Hi, all!
> >
> > Recent days I thought about usage of w3af in enterprise level.
>
> Ok,
>
> > What things do I need for the current moment and think that it can be
> > good base for the future:
> > 1. web based UI to schedule scans and profile management with
> > multiuser support
> > 2. support for custom URL formats of web applications (at least URL
> > rewrite)
> > 3. more convenient login sequences feature
> > 4. convenient way to test AJAX heavy usage applications (e.g.
> > GMail)
...
> > My technical suggestions:
> > 1. very simple web UI with LDAP support and notifications. We can
> > use Django for it
>
> Sounds easy, but it's not. We need to decide what the web UI will
> have, if it will compete with the GTK user interface or not in
> features (would you have all the same tabs and information in both?)
> or would the webUI be something VERY simplistic where you would only
> be able to launch a scan and see the report?
Imho, we don't need to duplicate a GTK in web. As I think webUI:
- must be simple
- using webUI user can launch or schedule a scan with needed profile,
auth data and download a report on finish
- multiuser support (LDAP and so on)
- may be some simple statistics in the future
- plus it will be great to integrate into it proxy which I mentioned
below
In the past I made something similar to it. It was a frontend to nessus
scanner with these capabilities (schedules scans, profiles, users,
reports).
>
> > 2. we can implement support for URL patterns like
> > '/app/controller/action/%d' so w3af will understand which part
> > of URL can be fuzzed and understand that such URL in modern web
> > world is not file system path.
>
> Totally doable within our framework, we just need to decide that
> this is important and implement it.
For the current moment I have experience that without this feature we
(and some commercial scanners) can't correctly scan a really big number
of web applications especially which are made on frameworks like Django.
>
> > 3. we can add login files (auth requests + special URL/pattern to
> > check session) and we can generate such sequences with our MITM
> > proxy tool. IMHO, it is most clear task from my list.
>
> Not sure if I followed you here. What you want to do is to log all
> login requests and patterns to identify logged-in / logged-out to a
> file using the MITM proxy so that information is used in the web UI ?
Not only in webUI =) I think about auth manager as part of w3af.
Typical scenario is:
1. user want to test web application behind the auth level
2. he navigate to login page through our proxy tool and make login
with his auth data (username and password) and other steps which
are needed to make a correct login action
3. in proxy tool he select login requests and send it to w3af auth
manager as login sequence
4. in auth manager he edit if it is needed these requests, added
pattern for checking logged state (e.g. presence of username in
responses) and save this all as auth sequence
5. then when he want to scan this application he select profile,
target and auth sequence ...and start scan =)
6.
> > 4. we can integrate into web UI proxy management (tester use this
> > proxy to navigate through testing app so w3af will collect all
> > requests for this app) and make special output plugin which will
> > store in file all requests. Then we can use this file with
> > already existing importResults plugin plus auth seq to test even
> > such web applications like GMail automatically.
>
> I like this idea, and I think it's kind of related with this
> ticket [0]. What I would recommend doing is:
>
> - Fix [0]
> - Give the user a clear indication of where the sqlite DB with all the
> request and responses is stored (this includes scan information and
> proxy data)
> - Modify the importResults to support this DB format
>
> [0] http://sourceforge.net/apps/trac/w3af/ticket/149255
>
> > These are my common points to discuss :)
>
> I think all of these points are too many to discuss in the same
> branch. All of them are interesting, but if we work on all at the same
> time we won't accomplish anything. It sounds like the web UI is the
> more important to you now. If so, lets go that way and start working
> on what we want to do, how, etc.
Yep, I agree about branch. But about webUI...hmm, I think that auth
manager and convenient way to scan auth protected web applications is
more important task then webUI because it will give us possibility to
test such web applications even without webUI and in same time if we
talk about enterprise then webUI without such feature will be not so
useful.
>
> > P.S. I has made separate branch for experiments.
> >
> >
> > On Tue, 2011-03-22 at 14:47 -0300, Andres Riancho wrote:
> >> I think that before even starting a massive project like this one, we
> >> should have a discussion in w3af-develop about technology, objectives,
> >> etc. Would you mind starting the discussion?
> >>
> >> On Mon, Mar 21, 2011 at 1:45 PM, <ox...@users.sourceforge.net> wrote:
> >> > Revision: 4087
> >> > http://w3af.svn.sourceforge.net/w3af/?rev=4087&view=rev
> >> > Author: oxdef
> >> > Date: 2011-03-21 16:45:13 +0000 (Mon, 21 Mar 2011)
> >> >
> >> > Log Message:
> >> > -----------
> >> > Lets think about web UI for w3af
> >> >
> >> > Added Paths:
> >> > -----------
> >> > branches/webui/
> >
> >
> > --
> > Taras
> > http://oxdef.info
> > ----
> > "Software is like sex: it's better when it's free." - Linus Torvalds
> >
> >
> >
>
>
>
--
Taras
http://oxdef.info
----
"Software is like sex: it's better when it's free." - Linus Torvalds
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
