On Friday 26 March 2010 07:11:05 Vlatko Kosturjak wrote: > Jan-Oliver Wagner wrote: > > Hello, > > > > On Montag, 22. März 2010, Christian Kuersteiner wrote: > >>> Built w3af support, so will try this as well. > >> > >> Drop me a line if you need an additional helping hand. > > > > any progress with this? > > w3af causes a lot of trouble, so I'd like to have an alternative... > > Yes and No. Here's the few details about skipfish (if you did not tried > to use it): > - skipfish is very chatty (it outputs statistics every 20 requests) > - skipfish generates a LOT requests even with minimal dictionary > - skipfish generates html report which should be parsed a lot (with > copies of everything downloaded)
We noticed two issues with in in our labs. It needs to be throttled quite heavily otherwise it may well take down production servers. Also, the output is Javascript IIRC so we'll need to be quite clever in how we parse the output. > I have sent patch to Michael (author of skipfish), but did not get any > response afterwards. If Michael does not accept the patch, we can > distribute OpenVAS with a patch, but it's always clumsy solution. Even > with that patch, I'm not sure if skipfish is right software for this > use. It's more for manual web vulnerability assessment. What does the patch do? I think skipfish will be useful myself but it's not perfect. > That's why I have implemented wapiti(http://wapiti.sourceforge.net/) > support in the meantime on SVN r7114. Take a look at: > http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins > /scripts/remote-web-wapiti.nasl?root=openvas&view=log > > Unfortunately, I'm not aware of any better open source web vulnerability > scanner. Anyone would like to enlighten us? Nope, we generally use closed source tools + manual review. Tim -- Tim Brown <mailto:[email protected]> <http://www.openvas.org/>
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
