Muffys,
On Wed, Feb 11, 2009 at 10:09 AM, Muffys Wump <muff...@hotmail.com> wrote:
> Hi everyone,
>
> I'm not sure whether this has been mentioned before on the mailing list or
> not.
> I've came across wivet [0]. From the project description:
We talked about this one or two months ago, mainly in the users list.
You may want to search for that thread.
> "WIVET is a benchmarking project that aims to statistically analyze web link
> extractors. In general,
> web application vulnerability scanners fall into this category. These VAs,
> given a URL(s), try to extract
> as many input vectors as possibly they can to increase the coverage of the
> attack surface."
>
> The w3af webSpider scores a total of 46%. For example: links embedded in
> "p onmousedown window.location.href" won't be detected.
>
> I've attached the wivet output. I used the latest w3af svn version to get
> these results.
> I thought someone might find this interesting.
Yes, of course they are interesting!
I helped the wivet creator modify the tool, because at some point w3af
was discovering 100% of the links, but not because it was analyzing
javascript, it was because it was "cheating". The cheat was simple...
w3af includes the digitSum plugin that makes this work:
- Input:
- index1.html
- Tests to perform:
- index0.html
- index2.html
And wivet had a lot of "consecutive" directories and filenames in the
past. That's why, now you see that the filenames end with a random
token.
w3af is getting 46%, which is (as far as I know) 100% of the links
that can be discovered without having javascript support. w3af doesn't
have javascript support, so... we are ok =)
In the future, and if we decide to do so, we should add javascript
support (and possibly flash support also) in order to enhance our code
coverage in wivet and all other web applications. For the moment, just
use discovery.spiderMan to manually browse the whole site with your
browser, and you'll get 100% code coverage =)
Cheers,
> Cheers,
> Kevin
>
> [0] http://code.google.com/p/wivet/
>
> ________________________________
> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
> way beyond your inbox. More than messages
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code
> to
> build responsive, highly engaging applications that combine the power of
> local
> resources and data with the reach of the web. Download the Adobe AIR SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
