Re: [W3af-users] w3af as a service
Thanks a lot Andres! Makes a lot of sense. Is there any DB would you recommend? Regards. Rafael Em qui, 13 de jun de 2019 às 18:20, Andres Riancho escreveu: > Rafael, > > Thanks for your interest in w3af and using it to build a SaaS. > Answers and comments inline: > > On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva > wrote: > > > > Hello everyone, how are you? > > > > I would like to biuld a service that runs w3af and persists results in a > database. The idea is provide a web interface where we can run a scan and > also navigate through the results. Have any of you guys done something > related and would like to share? And even if you have not done so, would > you like to suggest a strategy? What about invoke a scan through the web > interface? Is there a way to run multiple instances of w3af scans? > > This is how I would do it, and the ways I have heard others have done > it: > > * The web interface you show to your user needs to know almost > nothing about w3af > > * When the user clicks on "start scan" a new w3af scan script [0] is > created. Your SaaS will most likely have 3 or 4 different scan script > templates, for different use-cases your customers might have. The > template is filled with the target URL, credentials, etc. all provided > by the user, and then sent to a scan queue. > > * The scans just sit in the queue until one of the scan workers gets to > them > > * Scan workers are EC2 instances that read scan scripts from the > queue and execute them. If you want to get fancy, you can measure the > scan queue size and do +1 or -1 on the number of scan workers > depending on load > > * The scan script should be configured to use output.xml_file output. > This plugin writes data to disk every ~30 seconds or so. > > * The scan worker server will run w3af_console -s script AND another > process that monitors the XML file. This process will extract > vulnerabilities from the file and save them to a vulnerabilities > queue. The process that monitors the XML file should only report new > vulnerabilities, no duplicated vulns should be sent to the > vulnerabilities queue. > > * Another process will read vulnerabilities from the queue and store > them to the DB. The front-end web application reads vulnerabilities > from the DB. Stuff like marking them as a false positive are handled > in the DB, w3af knows nothing about that. > > * Just like there is a queue for vulnerabilities, you could add a > queue for scan progress. The XML file also contains that information. > > Makes sense? > > [0] https://github.com/andresriancho/w3af/tree/master/scripts > > > Sorry about too many questions > > Regards. > > Rafael > > ___ > > W3af-users mailing list > > W3af-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
[W3af-users] w3af as a service
Hello everyone, how are you? I would like to biuld a service that runs w3af and persists results in a database. The idea is provide a web interface where we can run a scan and also navigate through the results. Have any of you guys done something related and would like to share? And even if you have not done so, would you like to suggest a strategy? What about invoke a scan through the web interface? Is there a way to run multiple instances of w3af scans? Sorry about too many questions Regards. Rafael ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
[W3af-users] Install issues
Hi, I'm trying to make w3af work on a VM on DigitalOcean, with Ubuntu 16.04. After following the steps on docs, I'm facing this when execute ./w3af_console *Traceback (most recent call last): File "./w3af_console", line 13, in dependency_check() File "/home/w3af/w3af/w3af/core/controllers/dependency_check/dependency_check.py", line 178, in dependency_checkexternal_commands = get_missing_external_commands(platform) File "/home/w3af/w3af/w3af/core/controllers/dependency_check/dependency_check.py", line 99, in get_missing_external_commandsreturn platform.get_missing_external_commands() File "/home/w3af/w3af/w3af/core/controllers/dependency_check/platforms/base_platform.py", line 54, in get_missing_external_commands instructions.extend(handler.__func__()) File "/home/w3af/w3af/w3af/core/controllers/dependency_check/platforms/base_platform.py", line 60, in retirejs_handlerif retirejs_is_installed(): File "/home/w3af/w3af/w3af/core/controllers/dependency_check/external/retirejs.py", line 37, in retirejs_is_installedversion = subprocess.check_output('%s --version' % path_to_retire, shell=True) File "/usr/lib/python2.7/subprocess.py", line 574, in check_outputraise CalledProcessError(retcode, cmd, output=output)subprocess.CalledProcessError: Command '/usr/local/bin/retire --version' returned non-zero exit status 127* Can you give a hand? I already got it working from apt-get install w3af, but want to use the newest version, building from source. Thanks. Rafael -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
[W3af-users] w3af installation on Debian Etch
Hi, Im getting a problem with w3af on a debian etch install... When I try execute w3af calling ./w3af_console I got this anwser: debian01:/home/rafaelbs/w3af# ./w3af_console You have to install pyOpenSSL library. - On Debian based distributions: apt-get install python-pyopenssl - On Mac: sudo port install py25-socket-ssl And I already installed python-pyopenssl . Am I missing something? Regards. Rafael -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users