Re: [W3af-users] Several w3af questions and issues
Ziadmo1, On Tue, Sep 29, 2015 at 12:35 PM, ziadmo1 .wrote: > Point 1) > I will try to take a video later this week, but to reproduce the issue: > a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new > profile" > b) Save new profile as Custom / Custom > c) Dis select the Infrastructure plugin, and right click on the Custom > profile, then "Save configuration to profile" > d) Select any other profile on the list > e) Come back to the Custom profile, the plugin Infrastructure is still > selected as if it was never unchecked. I run a-d, but then I see the expected result: the infrastructure plugin family is disabled. This is my w3af version information: Python version: 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2] GTK version: 2.24.23 PyGTK version: 2.24.0 w3af version: w3af - Web Application Attack and Audit Framework Version: 1.7.6 Revision: d7cb405316 - 09 oct 2015 21:26 Branch: master Local changes: No Author: Andres Riancho and the w3af team. What's yours? > Point 3) I really wish I can contribute, but I am not a programmer :P If I > can help with other things such as testing, I would be more than happy to do > so. > > Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This > will prevent losing results of a 1-4 hours scan. Like I said in the previous email, this is already done in the latest w3af. > Point 5) This is an issue as I scanned a site, w3af happily took all of the > memory available, and if I provide it with more memory, it just keep taking > it. At some point it used 8GB of memory and w3af crashed as there was no > more memory to consume... Ideally, w3af should be given a specified amount > of memory, or have some configuration options to restrict the amount of > memory it can use. I haven't seen any tools that work like that. The fix would be to identify the memory leak and refactor the code so that it doesn't consume all your memory. > Thanks for all the efforts on this project, I find w3af a great tool for the > Security community. > > > > On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho > wrote: >> >> Ziadmo, >> >> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . wrote: >> > Point 1) >> > Not sure if its a bug or not.. When I create a custom profile (based on >> > OWASP top 10 for example), the changes don't take effect on the newly >> > saved >> > custom profile. For example, if I disable "infrastructure", and I click >> > "save configuration to profile", then I select any other profile, when I >> > get >> > back to the "custom" profile I just created, I still see >> > "infrastructure" as >> > part of that profile. >> >> Failed to reproduce this issue on my workstation. Using the same >> version you're. Could you send us a detailed step by step or video to >> better understand the problem? >> >> >> > Point 2) >> > Which plugin or option is this output generated from? >> > >> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded >> > form: (category, subcategory, postal_code, distance, validated, >> > form_build_id, form_id, op)" (post data: 24, query string: 3) >> >> That's generated by audit plugins. They receive a fuzzable request >> (similar to what a browser/regular user would send) and create mutants >> (modified, ugly versions of the original request). >> >> > >> > Point 3) >> > When I Stop the scan through w3af_gui, in the console output the core is >> > still running, and therefore I am forced to hit Ctrl-C.. At that point I >> > lose all the output that I had generated so far (results, etc). >> >> Yep, known bug which sucks. You either wait for stop to work or >> contribute to the project to fix the issue :) >> >> > >> > Point 4) >> > When the scan is running, I did not see the HTML output file generated >> > under >> > ~/ which where it usually saves it. Does it wait until the scan is >> > completely done to save contents to it? >> >> Before you had to wait. In the last month I modified output plugins to >> write stuff to disk every N seconds (not sure what N is). >> >> That change might be only in develop branch. >> >> > This is why when I do Ctrl-C on step >> > 4 I lose all output, since there is nothing saved on the file. I would >> > suggest creating the file as soon as the scan starts and fill it up as >> > the >> > scan goes so output is not lost if for whatever reason the scan takes >> > too >> > long or if w3af freezes for example. >> > >> > >> > Point 5) >> > Is there a way to specify how much system memory w3af_gui can use? >> >> No >> >> > Under >> > >> > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory >> > >> > it mentions the cache size of "10", but what does 10 refers to in terms >> > of >> > memory? >> >> There is no way to know. This is the result of parsing an HTML page. >> HTML pages can be huge in KB, but have only 2 links and 1 form, or be >> really compact and with
Re: [W3af-users] Several w3af questions and issues
Point 1) I will try to take a video later this week, but to reproduce the issue: a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new profile" b) Save new profile as Custom / Custom c) Dis select the Infrastructure plugin, and right click on the Custom profile, then "Save configuration to profile" d) Select any other profile on the list e) Come back to the Custom profile, the plugin Infrastructure is still selected as if it was never unchecked. Point 3) I really wish I can contribute, but I am not a programmer :P If I can help with other things such as testing, I would be more than happy to do so. Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This will prevent losing results of a 1-4 hours scan. Point 5) This is an issue as I scanned a site, w3af happily took all of the memory available, and if I provide it with more memory, it just keep taking it. At some point it used 8GB of memory and w3af crashed as there was no more memory to consume... Ideally, w3af should be given a specified amount of memory, or have some configuration options to restrict the amount of memory it can use. Thanks for all the efforts on this project, I find w3af a great tool for the Security community. On Mon, Sep 28, 2015 at 11:15 AM, Andres Rianchowrote: > Ziadmo, > > On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . wrote: > > Point 1) > > Not sure if its a bug or not.. When I create a custom profile (based on > > OWASP top 10 for example), the changes don't take effect on the newly > saved > > custom profile. For example, if I disable "infrastructure", and I click > > "save configuration to profile", then I select any other profile, when I > get > > back to the "custom" profile I just created, I still see > "infrastructure" as > > part of that profile. > > Failed to reproduce this issue on my workstation. Using the same > version you're. Could you send us a detailed step by step or video to > better understand the problem? > > > > Point 2) > > Which plugin or option is this output generated from? > > > > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded > > form: (category, subcategory, postal_code, distance, validated, > > form_build_id, form_id, op)" (post data: 24, query string: 3) > > That's generated by audit plugins. They receive a fuzzable request > (similar to what a browser/regular user would send) and create mutants > (modified, ugly versions of the original request). > > > > > Point 3) > > When I Stop the scan through w3af_gui, in the console output the core is > > still running, and therefore I am forced to hit Ctrl-C.. At that point I > > lose all the output that I had generated so far (results, etc). > > Yep, known bug which sucks. You either wait for stop to work or > contribute to the project to fix the issue :) > > > > > Point 4) > > When the scan is running, I did not see the HTML output file generated > under > > ~/ which where it usually saves it. Does it wait until the scan is > > completely done to save contents to it? > > Before you had to wait. In the last month I modified output plugins to > write stuff to disk every N seconds (not sure what N is). > > That change might be only in develop branch. > > > This is why when I do Ctrl-C on step > > 4 I lose all output, since there is nothing saved on the file. I would > > suggest creating the file as soon as the scan starts and fill it up as > the > > scan goes so output is not lost if for whatever reason the scan takes too > > long or if w3af freezes for example. > > > > > > Point 5) > > Is there a way to specify how much system memory w3af_gui can use? > > No > > > Under > > > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory > > > > it mentions the cache size of "10", but what does 10 refers to in terms > of > > memory? > > There is no way to know. This is the result of parsing an HTML page. > HTML pages can be huge in KB, but have only 2 links and 1 form, or be > really compact and with thousands of links > > > > > > > I am using Version 1.7.6 through Kali Linux 2.0. > > > > > -- > > > > ___ > > W3af-users mailing list > > W3af-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Several w3af questions and issues
Ziadmo, On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 .wrote: > Point 1) > Not sure if its a bug or not.. When I create a custom profile (based on > OWASP top 10 for example), the changes don't take effect on the newly saved > custom profile. For example, if I disable "infrastructure", and I click > "save configuration to profile", then I select any other profile, when I get > back to the "custom" profile I just created, I still see "infrastructure" as > part of that profile. Failed to reproduce this issue on my workstation. Using the same version you're. Could you send us a detailed step by step or video to better understand the problem? > Point 2) > Which plugin or option is this output generated from? > > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded > form: (category, subcategory, postal_code, distance, validated, > form_build_id, form_id, op)" (post data: 24, query string: 3) That's generated by audit plugins. They receive a fuzzable request (similar to what a browser/regular user would send) and create mutants (modified, ugly versions of the original request). > > Point 3) > When I Stop the scan through w3af_gui, in the console output the core is > still running, and therefore I am forced to hit Ctrl-C.. At that point I > lose all the output that I had generated so far (results, etc). Yep, known bug which sucks. You either wait for stop to work or contribute to the project to fix the issue :) > > Point 4) > When the scan is running, I did not see the HTML output file generated under > ~/ which where it usually saves it. Does it wait until the scan is > completely done to save contents to it? Before you had to wait. In the last month I modified output plugins to write stuff to disk every N seconds (not sure what N is). That change might be only in develop branch. > This is why when I do Ctrl-C on step > 4 I lose all output, since there is nothing saved on the file. I would > suggest creating the file as soon as the scan starts and fill it up as the > scan goes so output is not lost if for whatever reason the scan takes too > long or if w3af freezes for example. > > > Point 5) > Is there a way to specify how much system memory w3af_gui can use? No > Under > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory > > it mentions the cache size of "10", but what does 10 refers to in terms of > memory? There is no way to know. This is the result of parsing an HTML page. HTML pages can be huge in KB, but have only 2 links and 1 form, or be really compact and with thousands of links > > > I am using Version 1.7.6 through Kali Linux 2.0. > > -- > > ___ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users