Re: [W3af-develop] Test the develop branch before Monday's release
Andres, don't sure if it is w3af installation bug but after first ./w3af_gui have $ cat /tmp/w3af_dependency_install.sh #!/bin/bash # Run without sudo to install inside venvpip install clamd==1.0.1 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.11 esmre==0.3.1 nltk==2.0.4 chardet==2.1.1 pdfminer==20110515 futures==2.1.5 pyOpenSSL==0.13.1 lxml==2.3.2 scapy-real==2.2.0-dev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.2.4 python-ntlm==1.0.1 halberd==0.2.4 xdot==0.6 pip install --ignore-installed git+https://github.com/andresriancho/phply.git#egg=phply Take into attention that there is command to install only phply (missing new line before pip?). Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
On Sun, Mar 30, 2014 at 6:56 AM, Taras ox...@oxdef.info wrote: Andres, don't sure if it is w3af installation bug but after first ./w3af_gui have $ cat /tmp/w3af_dependency_install.sh #!/bin/bash # Run without sudo to install inside venvpip install clamd==1.0.1 PyGithub==1.21.0 GitPython==0.3.2.RC1 pybloomfiltermmap==0.3.11 esmre==0.3.1 nltk==2.0.4 chardet==2.1.1 pdfminer==20110515 futures==2.1.5 pyOpenSSL==0.13.1 lxml==2.3.2 scapy-real==2.2.0-dev guess-language==0.2 cluster==1.1.1b3 msgpack-python==0.2.4 python-ntlm==1.0.1 halberd==0.2.4 xdot==0.6 pip install --ignore-installed git+https://github.com/andresriancho/phply.git#egg=phply Take into attention that there is command to install only phply (missing new line before pip?). Crap! That was an important new line! Commit push. Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. 30.03.2014 18:00, Andres Riancho пишет: This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Taras https://www.oxdef.info -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
I have found another issue. During the scan using w3af_gui I see some vulns in Log tab but Results - KB Browser is empty. 30.03.2014 19:02, Taras пишет: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. 30.03.2014 18:00, Andres Riancho пишет: This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Taras https://www.oxdef.info -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Any random vulns, or just of some specific type? On Sun, Mar 30, 2014 at 12:24 PM, Taras ox...@oxdef.info wrote: I have found another issue. During the scan using w3af_gui I see some vulns in Log tab but Results - KB Browser is empty. 30.03.2014 19:02, Taras пишет: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. 30.03.2014 18:00, Andres Riancho пишет: This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Andrés, Taras, it would be nice to get a w3af which runs on plain old unpatched systems I.e. not everyone has, or can, or would like to install a bunch of python gimmicks on her/his/ system to get one single tool running (potentially breaking others). Is there any way that w3af contains anything it needs? I can live with something simple like curl ...some.website.../w3af.tgz|tar xf -./w3af_gui KISS - keep it simple secure Achim Am 30.03.2014 17:02, schrieb Taras: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
That would be awesome. If you send me a pull request I'll hapily merge it. El 30/03/2014 12:44, Achim Hoffmann webse...@sic-sec.org escribió: Andrés, Taras, it would be nice to get a w3af which runs on plain old unpatched systems I.e. not everyone has, or can, or would like to install a bunch of python gimmicks on her/his/ system to get one single tool running (potentially breaking others). Is there any way that w3af contains anything it needs? I can live with something simple like curl ...some.website.../w3af.tgz|tar xf -./w3af_gui KISS - keep it simple secure Achim Am 30.03.2014 17:02, schrieb Taras: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Achim, That came out a little bit rude... let me rephrase that :) I believe that it would be an awesome feature, but really hard to code, test and maintain. I'm personally not interested in it, so I won't do it myself, but if someone else wants to, I'm totally on board and will merge all the pull requests. Let me explain why I believe it is difficult: * Some python dependencies have C code. That would need to be compiled for different platforms (x86, 64, arm?) * Some python dependencies are wrappers around C libraries: gtk for example. Those are difficult to bundle in a OS agnostic way, and will also suffer from the issues from the previous point * It is not common, but in some cases (like with Mac and OSX [0]) there are different dependencies for specific systems Not saying it is impossible... maybe things like Python wheel [1] is what you're looking for? Another, more radical option would be to release w3af also as a docker [2] image. I've experimented with that, but it seems a little bit too new for now, since most users don't have the latest kernel (which is a requirement for docker). [0] https://github.com/andresriancho/w3af/issues/485 [1] http://pythonwheels.com/ [2] https://www.docker.io/ Regards, On Sun, Mar 30, 2014 at 12:59 PM, Andres Riancho andres.rian...@gmail.com wrote: That would be awesome. If you send me a pull request I'll hapily merge it. El 30/03/2014 12:44, Achim Hoffmann webse...@sic-sec.org escribió: Andrés, Taras, it would be nice to get a w3af which runs on plain old unpatched systems I.e. not everyone has, or can, or would like to install a bunch of python gimmicks on her/his/ system to get one single tool running (potentially breaking others). Is there any way that w3af contains anything it needs? I can live with something simple like curl ...some.website.../w3af.tgz|tar xf -./w3af_gui KISS - keep it simple secure Achim Am 30.03.2014 17:02, schrieb Taras: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Taras, Can't repro (see screenshot). If you see the console where you're running w3af_gui , is there anything there that could be useful? Traceback? Error? Regards, On Sun, Mar 30, 2014 at 12:45 PM, Taras ox...@oxdef.info wrote: Any. KB Browser is empty in all. 30.03.2014 19:35, Andres Riancho пишет: Any random vulns, or just of some specific type? On Sun, Mar 30, 2014 at 12:24 PM, Taras ox...@oxdef.info wrote: I have found another issue. During the scan using w3af_gui I see some vulns in Log tab but Results - KB Browser is empty. 30.03.2014 19:02, Taras пишет: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. 30.03.2014 18:00, Andres Riancho пишет: This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 attachment: xss.png-- ___ W3af-develop mailing list
Re: [W3af-develop] Test the develop branch before Monday's release
Am 30.03.2014 18:23, schrieb Andres Riancho: That came out a little bit rude... let me rephrase that oops, sorry. It just happend while I tried to run w3af on a second older (than 1 month;-) system and it failed totally. My apologies Achim -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
No no, my first answer was the rude one! El 30/03/2014 15:34, Achim Hoffmann webse...@sic-sec.org escribió: Am 30.03.2014 18:23, schrieb Andres Riancho: That came out a little bit rude... let me rephrase that oops, sorry. It just happend while I tried to run w3af on a second older (than 1 month;-) system and it failed totally. My apologies Achim -- ___ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
Re: [W3af-develop] Test the develop branch before Monday's release
Andres, it is strange but now everything is fine... I see normal tree in KB Browser. 30.03.2014 20:27, Andres Riancho пишет: Taras, Can't repro (see screenshot). If you see the console where you're running w3af_gui , is there anything there that could be useful? Traceback? Error? Regards, On Sun, Mar 30, 2014 at 12:45 PM, Taras ox...@oxdef.info wrote: Any. KB Browser is empty in all. 30.03.2014 19:35, Andres Riancho пишет: Any random vulns, or just of some specific type? On Sun, Mar 30, 2014 at 12:24 PM, Taras ox...@oxdef.info wrote: I have found another issue. During the scan using w3af_gui I see some vulns in Log tab but Results - KB Browser is empty. 30.03.2014 19:02, Taras пишет: Andres, workaround with --system-site-packages has helped, thanks. P.S. I also had to delete some installed system packages like pdfminer because of version conflicts. 30.03.2014 18:00, Andres Riancho пишет: This might help: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv --system-site-packages venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Note the added --system-site-packages On Sun, Mar 30, 2014 at 10:57 AM, Andres Riancho andres.rian...@gmail.com wrote: You might be hitting something like this [0], where your virtualenv doesn't have access to the package installed using apt-get [0] http://stackoverflow.com/questions/3580520/python-virtualenv-gtk-2-0 On Sun, Mar 30, 2014 at 10:40 AM, Andres Riancho andres.rian...@gmail.com wrote: And if inside the virtualenv you run: pip freeze | grep gtk You get something? On Sun, Mar 30, 2014 at 10:26 AM, Taras ox...@oxdef.info wrote: Ok, install them all. Try ./w3af_gui Actual result: $ ./w3af_gui The GTK package requirements are not met, please make sure your system meets these requirements: - PyGTK = 2.12 - GTK = 2.12 OS? What do you get when running: import pygtk pygtk.require('2.0') import gtk import gobject print gtk.gtk_version = (2, 12) print gtk.pygtk_version = (2, 12) Ops, sorry I forget about this information. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 13.10 Release:13.10 Codename: saucy *Inside* virtualenv: $ python -c 'import gtk' Traceback (most recent call last): File string, line 1, in module ImportError: No module named gtk Outside: $ python -c 'import gtk;print gtk.pygtk_version' (2, 24, 0) pygtk is installed as system package $ dpkg -l | grep python-gtk ii python-gtk2 2.24.0-3ubuntu1 28.03.2014 01:18, Andres Riancho пишет: List, Every now and then I ask for a favor, nd... well... now I'm asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn't have any critical bugs before I merge into develop into master. I've been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things. All 1300+ unittests PASS in the continuous integration system, but there's nothing like real-user testing. If you have a couple of minutes to help, please follow these steps to install a virtualenv with w3af inside: cd ~ apt-get install -y python-pip # This step might change in your OS pip install virtualenv mkdir w3af-release cd w3af-release virtualenv venv . venv/bin/activate git clone https://github.com/andresriancho/w3af.git cd w3af git checkout develop ./w3af_gui . /tmp/w3af_dependency_install.sh Please report any installation bugs here [0]. Now the fun part :) Scan a site! In the same console (where virtualenv is enabled) run: ./w3af_gui Configure w3af [1] and run a scan. Please report any tracebacks, false positives, false negatives, etc. here [0]. All your bug reports will be much appreciated! Thanks! [0] https://github.com/andresriancho/w3af/issues/new [1] http://docs.w3af.org/en/develop/gui/scanning.html#configuring-the-scan Regards, -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- Taras https://www.oxdef.info -- ___ W3af-develop