Taras, On Mon, Apr 27, 2009 at 6:34 PM, Taras P. Ivashchenko <naplan...@gmail.com> wrote: > Hello, list! > > I had tried WebScarab [0] and Burp Proxy [1] > > Here is plan: > * More convenient GUI (multiple requests and history navigation, table > presentation of request/response data and so on)
I think that the burp proxy GUI is really good, and most web app sec experts are used to it. For starters, I would change the GUI from our MITM proxy [a] to look just like burp proxy. The three tabs: "intercept", "options", "history" ; the positions of the buttons, I would change our interface to look just like the one in burp. > * Transcoder (string to MD5/SH1, URL encode/decode and so on) We already have that tool! Please see "Encode/Decode" in the tools section of the GUI. > * Easy editing of request parameters (like in Burp) Ok, > * Audit plugins integration for manual checks You mean that if I'm analyzing a request, I should be able to click on a button that says: "Find SQL injections", and that would send the request to the audit.sqli plugin, and find SQL injections on those parameters? If that's the idea..., it would be awesome!!!!! > * Save/restore sessions? Kind of complex, but it could be done. > Does anybody have any more ideas? I've found that when I'm analyzing a website, I end up using only two tools: w3af and burp. And I mostly use burp to perform the manual part of the assessment because... lets face it... the MITM proxy in w3af isn't good enough. I think that having a burp proxy clone in w3af, to replace the current MITM proxy would be an excellent idea. I see that Taras is thinking like me, how do the other developers think?! [a] core/ui/gtkUi/proxywin.py > > [0] http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project > [1] http://portswigger.net/proxy/ > -- > Taras P. Ivashchenko <naplan...@gmail.com> > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensign option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
