Kost,
On Sun, Oct 18, 2009 at 7:08 PM, Vlatko Kosturjak <k...@linux.hr> wrote:
> Andres Riancho wrote:
>>
>> - In a section of the code it reads: "See the preferences section for
>> w3af options.", what are those options? How could I read them?
>
> Currently, you can only set profile (it's full_audit by default) and
> verboseness is automatically set if you set verbose globally in OpenVAS. I
> hope to implement much more features/options...
> If you think some feature should be immediately implemented, feel free to
> suggest :)
hmmm, if the script_timeout variable is set to something reasonable,
then for now I do not have any other options.
>> - "script_require_ports("Services/www", 80);", actually, w3af can
>> launch a scan on any port that has an HTTP daemon. I don't really know
>> if this situation is covered by these other lines or not:
>
> Services/www means: any web server found (regardless of http/https).
> 80 means as fallback, if port 80 is open...
Ok, nice.
>> - Even with the modifications I've been working on, w3af tends to be
>> time consuming. Maybe users want to be able to set for how much time
>> w3af is going to run inside openvas? Could this be done here "r =
>
> It should work through script_timeout()...
Nice, I'm starting to like openvas even more ;)
>> I think that adding w3af to openvas is a good idea, it will give you
>> guys some advantages over nessus, and on the other side, w3af will be
>> more widespread. The only problem I see is that openvas users could be
>> inclined to think that running w3af inside openvas is "100% accurate",
>> which is not, because openvas will only be able to show some of w3af's
>> settings, features, etc.
>
> Anyway, people using automatic scanners should be aware that the scanner is
> only there to help... We can put some kind of disclaimer if you think will
> help (in description of plugin or/and report).
Yes, I would appreciate that.
Cheers,
> i.e.
>
> "...See the preferences section for w3af options.
> Note that OpenVAS is using limited set of w3af options.
> Therefore, for more complete web assessment, you should
> use standalone w3af tool for deeper/customized checks."
>
> Kost
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
