Taras, Sorry for the delayed answer, I usually answer easy emails in no time, but your's took some decision making process. Read inline,
On Thu, Apr 7, 2011 at 6:30 PM, Taras <ox...@oxdef.info> wrote: > Andres, please read inline. > > On Wed, 2011-04-06 at 17:25 +0200, Andres Riancho wrote: >> Taras, >> >> Please read inline. I was unable to answer because I was on >> vacations, but today is my first day of work, so... here it goes: > O, vacations! Hope they were perfect ;) >> >> On Tue, Mar 22, 2011 at 10:18 PM, Taras <ox...@oxdef.info> wrote: >> > Hi, all! >> > >> > Recent days I thought about usage of w3af in enterprise level. >> >> Ok, >> >> > What things do I need for the current moment and think that it can be >> > good base for the future: >> > 1. web based UI to schedule scans and profile management with >> > multiuser support >> > 2. support for custom URL formats of web applications (at least URL >> > rewrite) >> > 3. more convenient login sequences feature >> > 4. convenient way to test AJAX heavy usage applications (e.g. >> > GMail) > ... >> > My technical suggestions: >> > 1. very simple web UI with LDAP support and notifications. We can >> > use Django for it >> >> Sounds easy, but it's not. We need to decide what the web UI will >> have, if it will compete with the GTK user interface or not in >> features (would you have all the same tabs and information in both?) >> or would the webUI be something VERY simplistic where you would only >> be able to launch a scan and see the report? > > Imho, we don't need to duplicate a GTK in web. As I think webUI: > - must be simple > - using webUI user can launch or schedule a scan with needed profile, > auth data and download a report on finish > - multiuser support (LDAP and so on) > - may be some simple statistics in the future > - plus it will be great to integrate into it proxy which I mentioned > below Understood, makes sense NOT to duplicate the UI. Having a web UI with THOSE features makes sense. > In the past I made something similar to it. It was a frontend to nessus > scanner with these capabilities (schedules scans, profiles, users, > reports). > >> >> > 2. we can implement support for URL patterns like >> > '/app/controller/action/%d' so w3af will understand which part >> > of URL can be fuzzed and understand that such URL in modern web >> > world is not file system path. >> >> Totally doable within our framework, we just need to decide that >> this is important and implement it. > > For the current moment I have experience that without this feature we > (and some commercial scanners) can't correctly scan a really big number > of web applications especially which are made on frameworks like Django. >> >> > 3. we can add login files (auth requests + special URL/pattern to >> > check session) and we can generate such sequences with our MITM >> > proxy tool. IMHO, it is most clear task from my list. >> >> Not sure if I followed you here. What you want to do is to log all >> login requests and patterns to identify logged-in / logged-out to a >> file using the MITM proxy so that information is used in the web UI ? > Not only in webUI =) I think about auth manager as part of w3af. > Typical scenario is: > 1. user want to test web application behind the auth level > 2. he navigate to login page through our proxy tool and make login > with his auth data (username and password) and other steps which > are needed to make a correct login action > 3. in proxy tool he select login requests and send it to w3af auth > manager as login sequence > 4. in auth manager he edit if it is needed these requests, added > pattern for checking logged state (e.g. presence of username in > responses) and save this all as auth sequence > 5. then when he want to scan this application he select profile, > target and auth sequence ...and start scan =) My favorite in this matter is Acunetix, they have a very polished "auth manager" which is both usable and customizable. Please take a look at it (if possible) before starting our own :) I think that instead of having the user configure his browser to go through a proxy, we should spawn a new window with a browser inside (that will be configured to browse through an internal proxy that users won't even know about) and give the user the option to move through the phases of login-sequence, links to avoid, logout sequence. >> > 4. we can integrate into web UI proxy management (tester use this >> > proxy to navigate through testing app so w3af will collect all >> > requests for this app) and make special output plugin which will >> > store in file all requests. Then we can use this file with >> > already existing importResults plugin plus auth seq to test even >> > such web applications like GMail automatically. >> >> I like this idea, and I think it's kind of related with this >> ticket [0]. What I would recommend doing is: >> >> - Fix [0] >> - Give the user a clear indication of where the sqlite DB with all the >> request and responses is stored (this includes scan information and >> proxy data) >> - Modify the importResults to support this DB format >> >> [0] http://sourceforge.net/apps/trac/w3af/ticket/149255 >> >> > These are my common points to discuss :) >> >> I think all of these points are too many to discuss in the same >> branch. All of them are interesting, but if we work on all at the same >> time we won't accomplish anything. It sounds like the web UI is the >> more important to you now. If so, lets go that way and start working >> on what we want to do, how, etc. > Yep, I agree about branch. But about webUI...hmm, I think that auth > manager and convenient way to scan auth protected web applications is > more important task then webUI because it will give us possibility to > test such web applications even without webUI and in same time if we > talk about enterprise then webUI without such feature will be not so > useful. If you instrument a browser (like discussed above), I would totally support your effort :) Another, very simple to implement feature actually, is to have the user set the username and password to use in any HTTP form login. When w3af discovers a form login (we already do that), it simply POST's the username and password to the form and continues to scan. What do you think about this option for "simple login sequence configuration" and the instrumented browser for the "advanced login sequence configuration" ? > >> >> > P.S. I has made separate branch for experiments. >> > >> > >> > On Tue, 2011-03-22 at 14:47 -0300, Andres Riancho wrote: >> >> I think that before even starting a massive project like this one, we >> >> should have a discussion in w3af-develop about technology, objectives, >> >> etc. Would you mind starting the discussion? >> >> >> >> On Mon, Mar 21, 2011 at 1:45 PM, <ox...@users.sourceforge.net> wrote: >> >> > Revision: 4087 >> >> > http://w3af.svn.sourceforge.net/w3af/?rev=4087&view=rev >> >> > Author: oxdef >> >> > Date: 2011-03-21 16:45:13 +0000 (Mon, 21 Mar 2011) >> >> > >> >> > Log Message: >> >> > ----------- >> >> > Lets think about web UI for w3af >> >> > >> >> > Added Paths: >> >> > ----------- >> >> > branches/webui/ >> > >> > >> > -- >> > Taras >> > http://oxdef.info >> > ---- >> > "Software is like sex: it's better when it's free." - Linus Torvalds >> > >> > >> > >> >> >> > > -- > Taras > http://oxdef.info > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > > > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
