Re: [W3af-users] Several w3af questions and issues

2015-10-12 Thread Andres Riancho 
Ziadmo1,

On Tue, Sep 29, 2015 at 12:35 PM, ziadmo1 .  wrote:
> Point 1)
> I will try to take a video later this week, but to reproduce the issue:
> a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new
> profile"
> b) Save new profile as Custom / Custom
> c) Dis select the Infrastructure plugin, and right click on the Custom
> profile, then "Save configuration to profile"
> d) Select any other profile on the list
> e) Come back to the Custom profile, the plugin Infrastructure is still
> selected as if it was never unchecked.

I run a-d, but then I see the expected result: the infrastructure
plugin family is disabled. This is my w3af version information:

  Python version: 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2]
  GTK version: 2.24.23
  PyGTK version: 2.24.0
  w3af version:
w3af - Web Application Attack and Audit Framework
Version: 1.7.6
Revision: d7cb405316 - 09 oct 2015 21:26
Branch: master
Local changes: No
Author: Andres Riancho and the w3af team.

What's yours?

> Point 3) I really wish I can contribute, but I am not a programmer :P If I
> can help with other things such as testing, I would be more than happy to do
> so.
>
> Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
> will prevent losing results of a 1-4 hours scan.

Like I said in the previous email, this is already done in the latest w3af.

> Point 5) This is an issue as I scanned a site, w3af happily took all of the
> memory available, and if I provide it with more memory, it just keep taking
> it. At some point it used 8GB of memory and w3af crashed as there was no
> more memory to consume... Ideally, w3af should be given a specified amount
> of memory, or have some configuration options to restrict the amount of
> memory it can use.

I haven't seen any tools that work like that. The fix would be to
identify the memory leak and refactor the code so that it doesn't
consume all your memory.

> Thanks for all the efforts on this project, I find w3af a great tool for the
> Security community.
>
>
>
> On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho 
> wrote:
>>
>> Ziadmo,
>>
>> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 .  wrote:
>> > Point 1)
>> > Not sure if its a bug or not.. When I create a custom profile (based on
>> > OWASP top 10 for example), the changes don't take effect on the newly
>> > saved
>> > custom profile. For example, if I disable "infrastructure", and I click
>> > "save configuration to profile", then I select any other profile, when I
>> > get
>> > back to the "custom" profile I just created, I still see
>> > "infrastructure" as
>> > part of that profile.
>>
>> Failed to reproduce this issue on my workstation. Using the same
>> version you're. Could you send us a detailed step by step or video to
>> better understand the problem?
>>
>>
>> > Point 2)
>> > Which plugin or option is this output generated from?
>> >
>> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
>> > form: (category, subcategory, postal_code, distance, validated,
>> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>>
>> That's generated by audit plugins. They receive a fuzzable request
>> (similar to what a browser/regular user would send) and create mutants
>> (modified, ugly versions of the original request).
>>
>> >
>> > Point 3)
>> > When I Stop the scan through w3af_gui, in the console output the core is
>> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
>> > lose all the output that I had generated so far (results, etc).
>>
>> Yep, known bug which sucks. You either wait for stop to work or
>> contribute to the project to fix the issue :)
>>
>> >
>> > Point 4)
>> > When the scan is running, I did not see the HTML output file generated
>> > under
>> > ~/ which where it usually saves it. Does it wait until the scan is
>> > completely done to save contents to it?
>>
>> Before you had to wait. In the last month I modified output plugins to
>> write stuff to disk every N seconds (not sure what N is).
>>
>> That change might be only in develop branch.
>>
>> > This is why when I do Ctrl-C on step
>> > 4 I lose all output, since there is nothing saved on the file. I would
>> > suggest creating the file as soon as the scan starts and fill it up as
>> > the
>> > scan goes so output is not lost if for whatever reason the scan takes
>> > too
>> > long or if w3af freezes for example.
>> >
>> >
>> > Point 5)
>> > Is there a way to specify how much system memory w3af_gui can use?
>>
>> No
>>
>> > Under
>> >
>> > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>> >
>> > it mentions the cache size of "10", but what does 10 refers to in terms
>> > of
>> > memory?
>>
>> There is no way to know. This is the result of parsing an HTML page.
>> HTML pages can be huge in KB, but have only 2 links and 1 form, or be
>> really compact and with

Re: [W3af-users] Several w3af questions and issues

2015-09-29 Thread ziadmo1 . 
Point 1)
I will try to take a video later this week, but to reproduce the issue:
a) Select the OWASP_TOP10 profile, right click, "Save configuration to a
new profile"
b) Save new profile as Custom / Custom
c) Dis select the Infrastructure plugin, and right click on the Custom
profile, then "Save configuration to profile"
d) Select any other profile on the list
e) Come back to the Custom profile, the plugin Infrastructure is still
selected as if it was never unchecked.

Point 3) I really wish I can contribute, but I am not a programmer :P If I
can help with other things such as testing, I would be more than happy to
do so.

Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
will prevent losing results of a 1-4 hours scan.

Point 5) This is an issue as I scanned a site, w3af happily took all of the
memory available, and if I provide it with more memory, it just keep taking
it. At some point it used 8GB of memory and w3af crashed as there was no
more memory to consume... Ideally, w3af should be given a specified amount
of memory, or have some configuration options to restrict the amount of
memory it can use.

Thanks for all the efforts on this project, I find w3af a great tool for
the Security community.



On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho 
wrote:

> Ziadmo,
>
> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 .  wrote:
> > Point 1)
> > Not sure if its a bug or not.. When I create a custom profile (based on
> > OWASP top 10 for example), the changes don't take effect on the newly
> saved
> > custom profile. For example, if I disable "infrastructure", and I click
> > "save configuration to profile", then I select any other profile, when I
> get
> > back to the "custom" profile I just created, I still see
> "infrastructure" as
> > part of that profile.
>
> Failed to reproduce this issue on my workstation. Using the same
> version you're. Could you send us a detailed step by step or video to
> better understand the problem?
>
>
> > Point 2)
> > Which plugin or option is this output generated from?
> >
> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
> > form: (category, subcategory, postal_code, distance, validated,
> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>
> That's generated by audit plugins. They receive a fuzzable request
> (similar to what a browser/regular user would send) and create mutants
> (modified, ugly versions of the original request).
>
> >
> > Point 3)
> > When I Stop the scan through w3af_gui, in the console output the core is
> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
> > lose all the output that I had generated so far (results, etc).
>
> Yep, known bug which sucks. You either wait for stop to work or
> contribute to the project to fix the issue :)
>
> >
> > Point 4)
> > When the scan is running, I did not see the HTML output file generated
> under
> > ~/ which where it usually saves it. Does it wait until the scan is
> > completely done to save contents to it?
>
> Before you had to wait. In the last month I modified output plugins to
> write stuff to disk every N seconds (not sure what N is).
>
> That change might be only in develop branch.
>
> > This is why when I do Ctrl-C on step
> > 4 I lose all output, since there is nothing saved on the file. I would
> > suggest creating the file as soon as the scan starts and fill it up as
> the
> > scan goes so output is not lost if for whatever reason the scan takes too
> > long or if w3af freezes for example.
> >
> >
> > Point 5)
> > Is there a way to specify how much system memory w3af_gui can use?
>
> No
>
> > Under
> >
> http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
> >
> > it mentions the cache size of "10", but what does 10 refers to in terms
> of
> > memory?
>
> There is no way to know. This is the result of parsing an HTML page.
> HTML pages can be huge in KB, but have only 2 links and 1 form, or be
> really compact and with thousands of links
>
> >
> >
> > I am using Version 1.7.6 through Kali Linux 2.0.
> >
> >
> --
> >
> > ___
> > W3af-users mailing list
> > W3af-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] Several w3af questions and issues

2015-09-28 Thread Andres Riancho 
Ziadmo,

On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 .  wrote:
> Point 1)
> Not sure if its a bug or not.. When I create a custom profile (based on
> OWASP top 10 for example), the changes don't take effect on the newly saved
> custom profile. For example, if I disable "infrastructure", and I click
> "save configuration to profile", then I select any other profile, when I get
> back to the "custom" profile I just created, I still see "infrastructure" as
> part of that profile.

Failed to reproduce this issue on my workstation. Using the same
version you're. Could you send us a detailed step by step or video to
better understand the problem?


> Point 2)
> Which plugin or option is this output generated from?
>
> Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
> form: (category, subcategory, postal_code, distance, validated,
> form_build_id, form_id, op)" (post data: 24, query string: 3)

That's generated by audit plugins. They receive a fuzzable request
(similar to what a browser/regular user would send) and create mutants
(modified, ugly versions of the original request).

>
> Point 3)
> When I Stop the scan through w3af_gui, in the console output the core is
> still running, and therefore I am forced to hit Ctrl-C.. At that point I
> lose all the output that I had generated so far (results, etc).

Yep, known bug which sucks. You either wait for stop to work or
contribute to the project to fix the issue :)

>
> Point 4)
> When the scan is running, I did not see the HTML output file generated under
> ~/ which where it usually saves it. Does it wait until the scan is
> completely done to save contents to it?

Before you had to wait. In the last month I modified output plugins to
write stuff to disk every N seconds (not sure what N is).

That change might be only in develop branch.

> This is why when I do Ctrl-C on step
> 4 I lose all output, since there is nothing saved on the file. I would
> suggest creating the file as soon as the scan starts and fill it up as the
> scan goes so output is not lost if for whatever reason the scan takes too
> long or if w3af freezes for example.
>
>
> Point 5)
> Is there a way to specify how much system memory w3af_gui can use?

No

> Under
> http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>
> it mentions the cache size of "10", but what does 10 refers to in terms of
> memory?

There is no way to know. This is the result of parsing an HTML page.
HTML pages can be huge in KB, but have only 2 links and 1 form, or be
really compact and with thousands of links

>
>
> I am using Version 1.7.6 through Kali Linux 2.0.
>
> --
>
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users