Re: [W3af-develop] sslCertificate - beta version

Wed, 06 Jun 2012 07:14:29 -0700 

Taras,

    Just applied some changes to the plugin while reviewing it (see
SVN server) and also:

* v.setName('Invalid SSL connection') , should be an info()
* Not 100% about this one, but v.setName('Invalid SSL certificate')
also seems to be an info()
* Try to make the descriptions for the info/vuln objects more
"complete" such as:
    - desc = 'The target host "%s" has SSL version 2 enabled which is
known to be insecure.'

    Also, if possible please create a unittest that lives in
plugins/tests/audit/test_sslCertificate.py and runs against either
moth or some other target.

Regards,

On Wed, Jun 6, 2012 at 8:58 AM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
> I just have committed beta version of sslCertificate [0]:
> * ca.pem moved to plugins/audit/sslCertificate/
> * added correct check for SSLv2
> * dump cert
>
> What we have in final...we've lost:
>
> * some useful information inside dump_x509 (digests, serial number, keys)
>
> What we have got:
>
> * minus one dependency (I remember about proxy.py)
> * subjectAltNames support for hostname check
> * full certificate validation with CA file - w3af now behaviors like web
> browser here (also removed our unnecessary code)
> * correct SSLv2 check
> * soon expire feature
>
> [0]
> http://w3af.svn.sourceforge.net/viewvc/w3af/branches/ssl/plugins/audit/sslCertificate.py?revision=5048&view=markup
>
> --
> Taras
> http://oxdef.info



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to