Piotr, On Thu, Aug 6, 2015 at 5:38 AM, Piotr Lizończyk <piotr.lizonc...@gmail.com> wrote: > Hi w3af developers community, > I'm working on tool that discovers technologies used on websites. It's > called WAD (https://github.com/CERN-CERT/WAD), it is based on Wappalyzer > browser extension (https://github.com/AliasIO/Wappalyzer) and I would like > to create an "infrastructure" plugin for w3af, that would run it and provide > user with information, that we can scrape out of website's HTML content.
Sounds good! In the past I had the same idea and wrote it as this [0] issue. While reviewing the issue I found two "WAD" implementations: * https://github.com/SebastianLopienski/WAD * https://github.com/CERN-CERT/WAD What's the difference between these two? Are they related? [0] https://github.com/andresriancho/w3af/issues/1081 > The package was created at CERN and it is maintained actively for a couple > of years. While the process of contributing to w3af is clear, it is obvious > that I should ask you about adding this package as dependency, so my work on > the pull request is not a waste of time. Agreed! > I believe that this addition would be very valuable to w3af users, since it > can provide large amount of information about both backend and frontend > technologies used on website. Agreed on this one too. Before we can integrate anything into w3af there are some things to take into account: * WAD code license: GPL3. AFAIK there is no problem with w3af (GPL2) having a requirement (not bundled in the same repository) that's licensed as GPL3 * DB license: You're including the db inside your repository. Are the licenses compatible? Is this acceptable use of these files [2] ? * Most efficient way to integrate w3af with WAD: - Looks like WAD is a simple wrapper around the DB, the code is clean and tested. Entry point seems to be Detector.detect_multiple which performs an HTTP request and then analyzes the response. The only problem I see there is that in the w3af framework the user can setup many HTTP client options (proxy, timeout, etc.) which won't be respected if we just use wad's urlopen function. I guess that Detector.detect_multiple will have to be rewritten (maybe specify a urlopen as an optional parameter?) to use w3af's ExtendedUrllib - The information found by WAD must be stored in the knowledge base so other plugins can re-use this information - The information found by WAD must be stored in the knowledge base using an Info instance with the right name and description text so a regular user can understand what was found Also, I see that WAD is at pypi which makes it easier for us to use in w3af since we can add it to the requirements file [1]. Not a requirement/blocker but just curious, is WAD already bundled in Kali? To sum up, I believe everything looks good. If you send a clean PR which uses wad as an external dependency it will be accepted. [0] https://pypi.python.org/pypi/wad [1] https://github.com/andresriancho/w3af/blob/master/w3af/core/controllers/dependency_check/requirements.py [2] https://github.com/CERN-CERT/WAD/tree/master/wad/etc > I'm waiting to hear from you, with kind regards, > Piotr Lizończyk > > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop