Robert, Your mail client sucks =) No, really... it does... it doesn't send the ">", it changes the font, etc. It's really hard to read inline emails when you are the one that writes them. Could you please try to reconfigure your email client, or use another one?
Now with the email: On Wed, Apr 29, 2009 at 7:55 PM, Robert Carr <carr.m.rob...@gmail.com> wrote: > All, > -----Original Message----- > From: Andres Riancho <andres.rian...@gmail.com> > To: Taras P. Ivashchenko <naplan...@gmail.com> > Cc: w3af-develop@lists.sourceforge.net > Subject: Re: [W3af-develop] W3AF Proxy v2 plans - "BurpProxy killer" > Date: Tue, 28 Apr 2009 09:18:04 -0300 > > > Taras, > > On Mon, Apr 27, 2009 at 6:34 PM, Taras P. Ivashchenko > <naplan...@gmail.com >> wrote: >> Hello, list! >> >> I had tried WebScarab [0] and Burp Proxy [1] >> >> Here is plan: >> * More convenient GUI (multiple requests and history navigation, table >> presentation of request/response data and so on) > > I think that the burp proxy GUI is really good, and most web app sec > experts are used to it. For starters, I would change the GUI from our > MITM proxy [a] to look just like burp proxy. The three tabs: > "intercept", "options", "history" ; the positions of the buttons, I > would change our interface to look just like the one in burp. > >> * Transcoder (string to MD5/SH1, URL encode/decode and so on) > > We already have that tool! Please see "Encode/Decode" in the tools > section of the GUI. > >> * Easy editing of request parameters (like in Burp) > > Ok, > >> * Audit plugins integration for manual checks > > You mean that if I'm analyzing a request, I should be able to click on > a button that says: "Find SQL injections", and that would send the > request to the audit.sqli plugin, and find SQL injections on those > parameters? If that's the idea..., it would be awesome!!!!! > >> * Save/restore sessions? > > Kind of complex, but it could be done. > > This is an area I think is very important for w3af. Here are the scenarios > as a w3af user, that I really think make the case (in my mind): > > 1. Iterative scans of a website > Basically I like to get a saved discovery then run different scan types > against a site. (using tools that allow it) Especially with those > touchy clients who have crappy sites. Ok, it seems that this is a common use case, because I've heard it more than once. > 2. Webserver or heaven forbid w3af fails during a scan. Being able to save > the discovery before scanning would be awesome. Yes, I also heard this and I would like to give you an answer... but... I still don't have it. I think that we could work on something to get w3af sessions working. > The above are killers on websites with javascript menus. (meaning its a pain > in the ass to go through spiderMan or the equivalent multiple times) +1 !! I feel your pain! > 3. Reporting. Since Burp is on the table, having the ability to re-open > saved state and actually review the requests/responses is great. > This can already be done with w3af with the text output, but it is > convenient to have everything in a state file. (application settings, data) Ok, > 4. Pausing a scan. I hate doing this, but sometimes you have to, especially > when you have very restrictive scan windows. With Burp, when you are > finished > you can pick up where you left off and you have only one state file, not 1 > half finished and another full etc.. I failed to understand this one, > Thoughts? > > -R > >> Does anybody have any more ideas? > > I've found that when I'm analyzing a website, I end up using only two > tools: w3af and burp. And I mostly use burp to perform the manual part > of the assessment because... lets face it... the MITM proxy in w3af > isn't good enough. I think that having a burp proxy clone in w3af, to > replace the current MITM proxy would be an excellent idea. > > I see that Taras is thinking like me, how do the other developers think?! > > [a] core/ui/gtkUi/proxywin.py > >> >> [0] http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project >> [1] http://portswigger.net/proxy/ >> -- >> Taras P. Ivashchenko <naplan...@gmail.com> >> >> >> ------------------------------------------------------------------------------ >> Crystal Reports - New Free Runtime and 30 Day Trial >> Check out the new simplified licensign option that enables unlimited >> royalty-free distribution of the report engine for externally facing >> server and web deployment. >> http://p.sf.net/sfu/businessobjects >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> > > > > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
