Andres Riancho wrote: > Aaron, > > On Thu, Apr 30, 2009 at 4:59 PM, Aaron Peterson > <aa...@midnightresearch.com> wrote: >> Hello: >> >> On Wed, Apr 29, 2009 at 08:20:47PM -0300, Andres Riancho wrote: >>> On Wed, Apr 29, 2009 at 7:55 PM, Robert Carr <carr.m.rob...@gmail.com> >>> wrote: >>>> 1. Iterative scans of a website [snip] >>>> have everything in a state file. (application settings, data) >>> Ok, >> Another unrelated note I have on the reporting front -- Something that would >> be >> nice is to be able to have more control over filtering/combining report >> output. >> One thing that might help would be to put a unique plugin id in each >> vulnerability listed in the xml output file. That way I could filter out an >> entire plugin's output or more easily combine reports when needed. >> >> Speaking of this, is there any xslt or other way to transform the xml into a >> html or text report? > > In the rickybobby branch, Robert Carr is working on adding a unique > numeric identifier to each vulnerability discovered by w3af. This will > help you in the process of filtering, but it will take some time until > he finishes up his work. If you want, you could send him an email and > help him! =)
Something occurred to me when I read this bit. Has anyone considered using the OWASP Testing Guide's identifiers? [1] I use the Testing Guide when I create reports since it gives a couple of benefits: * Categories/structure already exists for almost anything you find * Unique identifiers already exist * Pre-made over-view descriptions to use in the report/output * Online resource to point to for additional information For example, a report I did yesterday included: - - - - Finding: Exposed Session Variables (OWASP-SM-004) Description: The Session Tokens (Cookie, SessionID, Hidden Field), if exposed, will usually enable an attacker to impersonate a victim and access the application illegitimately. As such, it is important that they are protected from eavesdropping at all times – particularly whilst in transit between the Client browser and the application servers. Details: (I wrote this bit) Further Information: http://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OWASP-SM-004) (and some other links I added) - - - - Since the Testing Guide is creative commons share alike [2], all you have to do is provide attribution and you're done. I only have to write the application specific details. Version 3 of the guide was just published and it sure makes reporting suck less. [1] http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents [2] http://creativecommons.org/licenses/by-sa/3.0/ -- Matt Tesauro OWASP Live CD Project Lead http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project http://mtesauro.com/livecd/ - Documentation Wiki > >>>> 4. Pausing a scan. I hate doing this, but sometimes you have to, especially >>>> when you have very restrictive scan windows. With Burp, when you are >>>> finished you can pick up where you left off and you have only one state >>>> file, not 1 half finished and another full etc.. >>> I failed to understand this one, >> Being able to pause a scan would definitely be nice (but I suspect it would >> also require w3af sessions). I have a site I'm working on now that only has >> a >> 3 hour window per day that I can work on it. > > Well... you could run w3af in a vmware, and pause the vmware ;) ;) ;) ;) > >> HTH, >> >> Aaron >> > > > ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
