subject:"Re\: \[W3af\-users\] run profile without target"

Re: [W3af-users] run profile without target

2015-12-01 Thread Matt Tesauro

Vojtech,

I'd suggest you look at this project:
https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

In the "Off-line" tab, there's a list of apps and the technology used to
create then.

For instance, Bodgeit Store is a Java based vulnerable app:
https://github.com/psiinon/bodgeit

Best of luck!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
*
http://AppSecLive.org - Community and Download site


On Tue, Dec 1, 2015 at 7:42 AM, Vojtěch Polášek  wrote:

> Hi,
> I would like to run W3AF against a commercial web application which uses
> similar technologies as Webgoat. Do you think that applications, which
> you mentioned, will be able to provide some baseline for comparing of
> results?
> I need to find if W3AF can correctly detect vulnerabilities in
> deliberately vulnerable applications before running it against the
> commercial application.
> Vulnerable application should be as close as possible to the commercial
> one in terms of used technologies.
> Thank you,
> Vojtěch Polášek
>
>
> Dne 1.12.2015 v 14:19 Andres Riancho napsal(a):
> > webgoat is not usually a good target for testing scanners. I would
> > recommend other applications such as:
> > * http://testphp.acunetix.com/
> > * https://github.com/andresriancho/django-moth
> >
> > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek 
> wrote:
> >> Greetings,
> >> thanks for reply, i will try it out.
> >> To be exact, I am running W3Af against Owasp Webgoat, which runs on
> Tomcat.
> >> Best regards,
> >> Vojta
> >>
> >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a):
> >>> Vojtěch,
> >>>
> >>> Questions are welcome :)
> >>>
> >>> I assume you wanted to say JavaScript instead of Java, if JS is
> >>> heavily used, then yes the web_spider is "almost useless".
> >>>
> >>> Well, the scan of the target URL can't be prevented, but if you
> >>> set the URL to http://target.com/ and disable web_spider, then w3af
> >>> won't have any parameters to find vulnerabilities in and the target is
> >>> "ignored" (most likely, haven't tested it).
> >>>
> >>> Regards,
> >>>
> >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek 
> wrote:
>  Greetings,
>  my name is Vojtěch Polášek and I am a blind IT student from Czech
> Republic.
>  As a part of my bachelor thesis, I am researching some tools for
>  security analysis of web applications. One of those tools is W3AF, so
>  expect some questions in near time :-)
>  I need to perform analysis of Java application, where web_spider is
>  useless. Therefore I use spider_man plugin. My question is; would it
> be
>  possible to prevent initial scan of the URL set as target?
>  Because it does not make much sense, as all needed input is
> facilitated
>  through spider_man.
>  Thank you for your response and best regards,
>  Vojtěch Polášek
> 
> 
> --
>  Go from Idea to Many App Stores Faster with Intel(R) XDK
>  Give your users amazing mobile app experiences with Intel(R) XDK.
>  Use one codebase in this all-in-one HTML5 development environment.
>  Design, debug & build mobile apps & 2D/3D high-impact games for
> multiple OSs.
>  http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
>  ___
>  W3af-users mailing list
>  W3af-users@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/w3af-users
> >>>
> >>
> >>
> --
> >> Go from Idea to Many App Stores Faster with Intel(R) XDK
> >> Give your users amazing mobile app experiences with Intel(R) XDK.
> >> Use one codebase in this all-in-one HTML5 development environment.
> >> Design, debug & build mobile apps & 2D/3D high-impact games for
> multiple OSs.
> >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
> >> ___
> >> W3af-users mailing list
> >> W3af-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
> >
>
>
>
> --
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
>

Re: [W3af-users] run profile without target

2015-12-01 Thread Vojtěch Polášek

Hi,
I would like to run W3AF against a commercial web application which uses
similar technologies as Webgoat. Do you think that applications, which
you mentioned, will be able to provide some baseline for comparing of
results?
I need to find if W3AF can correctly detect vulnerabilities in
deliberately vulnerable applications before running it against the
commercial application.
Vulnerable application should be as close as possible to the commercial
one in terms of used technologies.
Thank you,
Vojtěch Polášek


Dne 1.12.2015 v 14:19 Andres Riancho napsal(a):
> webgoat is not usually a good target for testing scanners. I would
> recommend other applications such as:
> * http://testphp.acunetix.com/
> * https://github.com/andresriancho/django-moth
>
> On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek  wrote:
>> Greetings,
>> thanks for reply, i will try it out.
>> To be exact, I am running W3Af against Owasp Webgoat, which runs on Tomcat.
>> Best regards,
>> Vojta
>>
>> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a):
>>> Vojtěch,
>>>
>>> Questions are welcome :)
>>>
>>> I assume you wanted to say JavaScript instead of Java, if JS is
>>> heavily used, then yes the web_spider is "almost useless".
>>>
>>> Well, the scan of the target URL can't be prevented, but if you
>>> set the URL to http://target.com/ and disable web_spider, then w3af
>>> won't have any parameters to find vulnerabilities in and the target is
>>> "ignored" (most likely, haven't tested it).
>>>
>>> Regards,
>>>
>>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek  wrote:
 Greetings,
 my name is Vojtěch Polášek and I am a blind IT student from Czech Republic.
 As a part of my bachelor thesis, I am researching some tools for
 security analysis of web applications. One of those tools is W3AF, so
 expect some questions in near time :-)
 I need to perform analysis of Java application, where web_spider is
 useless. Therefore I use spider_man plugin. My question is; would it be
 possible to prevent initial scan of the URL set as target?
 Because it does not make much sense, as all needed input is facilitated
 through spider_man.
 Thank you for your response and best regards,
 Vojtěch Polášek

 --
 Go from Idea to Many App Stores Faster with Intel(R) XDK
 Give your users amazing mobile app experiences with Intel(R) XDK.
 Use one codebase in this all-in-one HTML5 development environment.
 Design, debug & build mobile apps & 2D/3D high-impact games for multiple 
 OSs.
 http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
 ___
 W3af-users mailing list
 W3af-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>
>>
>> --
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
>> ___
>> W3af-users mailing list
>> W3af-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] run profile without target

2015-11-30 Thread Vojtěch Polášek

Greetings,
thanks for reply, i will try it out.
To be exact, I am running W3Af against Owasp Webgoat, which runs on Tomcat.
Best regards,
Vojta

Dne 30.11.2015 v 18:54 Andres Riancho napsal(a):
> Vojtěch,
>
> Questions are welcome :)
>
> I assume you wanted to say JavaScript instead of Java, if JS is
> heavily used, then yes the web_spider is "almost useless".
>
> Well, the scan of the target URL can't be prevented, but if you
> set the URL to http://target.com/ and disable web_spider, then w3af
> won't have any parameters to find vulnerabilities in and the target is
> "ignored" (most likely, haven't tested it).
>
> Regards,
>
> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek  wrote:
>> Greetings,
>> my name is Vojtěch Polášek and I am a blind IT student from Czech Republic.
>> As a part of my bachelor thesis, I am researching some tools for
>> security analysis of web applications. One of those tools is W3AF, so
>> expect some questions in near time :-)
>> I need to perform analysis of Java application, where web_spider is
>> useless. Therefore I use spider_man plugin. My question is; would it be
>> possible to prevent initial scan of the URL set as target?
>> Because it does not make much sense, as all needed input is facilitated
>> through spider_man.
>> Thank you for your response and best regards,
>> Vojtěch Polášek
>>
>> --
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
>> ___
>> W3af-users mailing list
>> W3af-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>


--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] run profile without target

2015-11-30 Thread Andres Riancho

Vojtěch,

Questions are welcome :)

I assume you wanted to say JavaScript instead of Java, if JS is
heavily used, then yes the web_spider is "almost useless".

Well, the scan of the target URL can't be prevented, but if you
set the URL to http://target.com/ and disable web_spider, then w3af
won't have any parameters to find vulnerabilities in and the target is
"ignored" (most likely, haven't tested it).

Regards,

On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek  wrote:
> Greetings,
> my name is Vojtěch Polášek and I am a blind IT student from Czech Republic.
> As a part of my bachelor thesis, I am researching some tools for
> security analysis of web applications. One of those tools is W3AF, so
> expect some questions in near time :-)
> I need to perform analysis of Java application, where web_spider is
> useless. Therefore I use spider_man plugin. My question is; would it be
> possible to prevent initial scan of the URL set as target?
> Because it does not make much sense, as all needed input is facilitated
> through spider_man.
> Thank you for your response and best regards,
> Vojtěch Polášek
>
> --
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
> ___
> W3af-users mailing list
> W3af-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911=/4140
___
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Re: [W3af-users] run profile without target

Re: [W3af-users] run profile without target

Re: [W3af-users] run profile without target

Re: [W3af-users] run profile without target

4 matches

Site Navigation

Mail list logo

Footer information