All,
-----Original Message-----
From: Andres Riancho <andres.rian...@gmail.com>
To: Taras P. Ivashchenko <naplan...@gmail.com>
Cc: w3af-develop@lists.sourceforge.net
Subject: Re: [W3af-develop] W3AF Proxy v2 plans - "BurpProxy killer"
Date: Tue, 28 Apr 2009 09:18:04 -0300
Taras,
On Mon, Apr 27, 2009 at 6:34 PM, Taras P. Ivashchenko
<naplan...@gmail.com> wrote:
> Hello, list!
>
> I had tried WebScarab [0] and Burp Proxy [1]
>
> Here is plan:
> * More convenient GUI (multiple requests and history navigation, table
> presentation of request/response data and so on)
I think that the burp proxy GUI is really good, and most web app sec
experts are used to it. For starters, I would change the GUI from our
MITM proxy [a] to look just like burp proxy. The three tabs:
"intercept", "options", "history" ; the positions of the buttons, I
would change our interface to look just like the one in burp.
> * Transcoder (string to MD5/SH1, URL encode/decode and so on)
We already have that tool! Please see "Encode/Decode" in the tools
section of the GUI.
> * Easy editing of request parameters (like in Burp)
Ok,
> * Audit plugins integration for manual checks
You mean that if I'm analyzing a request, I should be able to click on
a button that says: "Find SQL injections", and that would send the
request to the audit.sqli plugin, and find SQL injections on those
parameters? If that's the idea..., it would be awesome!!!!!
> * Save/restore sessions?
Kind of complex, but it could be done.
This is an area I think is very important for w3af. Here are the scenarios as a
w3af user, that I really think make the case (in my mind):
1. Iterative scans of a website
Basically I like to get a saved discovery then run different scan types
against a site. (using tools that allow it) Especially with those
touchy clients who have crappy sites.
2. Webserver or heaven forbid w3af fails during a scan. Being able to save the
discovery before scanning would be awesome.
The above are killers on websites with javascript menus. (meaning its a pain in
the ass to go through spiderMan or the equivalent multiple times)
3. Reporting. Since Burp is on the table, having the ability to re-open saved
state and actually review the requests/responses is great.
This can already be done with w3af with the text output, but it is convenient
to have everything in a state file. (application settings, data)
4. Pausing a scan. I hate doing this, but sometimes you have to, especially
when you have very restrictive scan windows. With Burp, when you are finished
you can pick up where you left off and you have only one state file, not 1 half
finished and another full etc..
Thoughts?
-R
> Does anybody have any more ideas?
I've found that when I'm analyzing a website, I end up using only two
tools: w3af and burp. And I mostly use burp to perform the manual part
of the assessment because... lets face it... the MITM proxy in w3af
isn't good enough. I think that having a burp proxy clone in w3af, to
replace the current MITM proxy would be an excellent idea.
I see that Taras is thinking like me, how do the other developers think?!
[a] core/ui/gtkUi/proxywin.py
>
> [0] http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
> [1] http://portswigger.net/proxy/
> --
> Taras P. Ivashchenko <naplan...@gmail.com>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensign option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
