Re: [W3af-users] w3af as a service
Not really, any DB you know how to use and maintain will make it. El jue., 13 de junio de 2019 7:08 p. m., Rafael Barbosa da Silva < rafae...@gmail.com> escribió: > Thanks a lot Andres! > > Makes a lot of sense. > > Is there any DB would you recommend? > > Regards. > Rafael > > Em qui, 13 de jun de 2019 às 18:20, Andres Riancho < > andres.rian...@gmail.com> escreveu: > >> Rafael, >> >> Thanks for your interest in w3af and using it to build a SaaS. >> Answers and comments inline: >> >> On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva >> wrote: >> > >> > Hello everyone, how are you? >> > >> > I would like to biuld a service that runs w3af and persists results in >> a database. The idea is provide a web interface where we can run a scan and >> also navigate through the results. Have any of you guys done something >> related and would like to share? And even if you have not done so, would >> you like to suggest a strategy? What about invoke a scan through the web >> interface? Is there a way to run multiple instances of w3af scans? >> >> This is how I would do it, and the ways I have heard others have done >> it: >> >> * The web interface you show to your user needs to know almost >> nothing about w3af >> >> * When the user clicks on "start scan" a new w3af scan script [0] is >> created. Your SaaS will most likely have 3 or 4 different scan script >> templates, for different use-cases your customers might have. The >> template is filled with the target URL, credentials, etc. all provided >> by the user, and then sent to a scan queue. >> >> * The scans just sit in the queue until one of the scan workers gets to >> them >> >> * Scan workers are EC2 instances that read scan scripts from the >> queue and execute them. If you want to get fancy, you can measure the >> scan queue size and do +1 or -1 on the number of scan workers >> depending on load >> >> * The scan script should be configured to use output.xml_file output. >> This plugin writes data to disk every ~30 seconds or so. >> >> * The scan worker server will run w3af_console -s script AND another >> process that monitors the XML file. This process will extract >> vulnerabilities from the file and save them to a vulnerabilities >> queue. The process that monitors the XML file should only report new >> vulnerabilities, no duplicated vulns should be sent to the >> vulnerabilities queue. >> >> * Another process will read vulnerabilities from the queue and store >> them to the DB. The front-end web application reads vulnerabilities >> from the DB. Stuff like marking them as a false positive are handled >> in the DB, w3af knows nothing about that. >> >> * Just like there is a queue for vulnerabilities, you could add a >> queue for scan progress. The XML file also contains that information. >> >> Makes sense? >> >> [0] https://github.com/andresriancho/w3af/tree/master/scripts >> >> > Sorry about too many questions >> > Regards. >> > Rafael >> > ___ >> > W3af-users mailing list >> > W3af-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> > ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] w3af as a service
Thanks a lot Andres! Makes a lot of sense. Is there any DB would you recommend? Regards. Rafael Em qui, 13 de jun de 2019 às 18:20, Andres Riancho escreveu: > Rafael, > > Thanks for your interest in w3af and using it to build a SaaS. > Answers and comments inline: > > On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva > wrote: > > > > Hello everyone, how are you? > > > > I would like to biuld a service that runs w3af and persists results in a > database. The idea is provide a web interface where we can run a scan and > also navigate through the results. Have any of you guys done something > related and would like to share? And even if you have not done so, would > you like to suggest a strategy? What about invoke a scan through the web > interface? Is there a way to run multiple instances of w3af scans? > > This is how I would do it, and the ways I have heard others have done > it: > > * The web interface you show to your user needs to know almost > nothing about w3af > > * When the user clicks on "start scan" a new w3af scan script [0] is > created. Your SaaS will most likely have 3 or 4 different scan script > templates, for different use-cases your customers might have. The > template is filled with the target URL, credentials, etc. all provided > by the user, and then sent to a scan queue. > > * The scans just sit in the queue until one of the scan workers gets to > them > > * Scan workers are EC2 instances that read scan scripts from the > queue and execute them. If you want to get fancy, you can measure the > scan queue size and do +1 or -1 on the number of scan workers > depending on load > > * The scan script should be configured to use output.xml_file output. > This plugin writes data to disk every ~30 seconds or so. > > * The scan worker server will run w3af_console -s script AND another > process that monitors the XML file. This process will extract > vulnerabilities from the file and save them to a vulnerabilities > queue. The process that monitors the XML file should only report new > vulnerabilities, no duplicated vulns should be sent to the > vulnerabilities queue. > > * Another process will read vulnerabilities from the queue and store > them to the DB. The front-end web application reads vulnerabilities > from the DB. Stuff like marking them as a false positive are handled > in the DB, w3af knows nothing about that. > > * Just like there is a queue for vulnerabilities, you could add a > queue for scan progress. The XML file also contains that information. > > Makes sense? > > [0] https://github.com/andresriancho/w3af/tree/master/scripts > > > Sorry about too many questions > > Regards. > > Rafael > > ___ > > W3af-users mailing list > > W3af-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] w3af as a service
Rafael, Thanks for your interest in w3af and using it to build a SaaS. Answers and comments inline: On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva wrote: > > Hello everyone, how are you? > > I would like to biuld a service that runs w3af and persists results in a > database. The idea is provide a web interface where we can run a scan and > also navigate through the results. Have any of you guys done something > related and would like to share? And even if you have not done so, would you > like to suggest a strategy? What about invoke a scan through the web > interface? Is there a way to run multiple instances of w3af scans? This is how I would do it, and the ways I have heard others have done it: * The web interface you show to your user needs to know almost nothing about w3af * When the user clicks on "start scan" a new w3af scan script [0] is created. Your SaaS will most likely have 3 or 4 different scan script templates, for different use-cases your customers might have. The template is filled with the target URL, credentials, etc. all provided by the user, and then sent to a scan queue. * The scans just sit in the queue until one of the scan workers gets to them * Scan workers are EC2 instances that read scan scripts from the queue and execute them. If you want to get fancy, you can measure the scan queue size and do +1 or -1 on the number of scan workers depending on load * The scan script should be configured to use output.xml_file output. This plugin writes data to disk every ~30 seconds or so. * The scan worker server will run w3af_console -s script AND another process that monitors the XML file. This process will extract vulnerabilities from the file and save them to a vulnerabilities queue. The process that monitors the XML file should only report new vulnerabilities, no duplicated vulns should be sent to the vulnerabilities queue. * Another process will read vulnerabilities from the queue and store them to the DB. The front-end web application reads vulnerabilities from the DB. Stuff like marking them as a false positive are handled in the DB, w3af knows nothing about that. * Just like there is a queue for vulnerabilities, you could add a queue for scan progress. The XML file also contains that information. Makes sense? [0] https://github.com/andresriancho/w3af/tree/master/scripts > Sorry about too many questions > Regards. > Rafael > ___ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users