Andres Riancho wrote: >>> - In a section of the code it reads: "See the preferences section for >>> w3af options.", what are those options? How could I read them? >> Currently, you can only set profile (it's full_audit by default) and >> verboseness is automatically set if you set verbose globally in OpenVAS. I >> hope to implement much more features/options... >> If you think some feature should be immediately implemented, feel free to >> suggest :) > hmmm, if the script_timeout variable is set to something reasonable, > then for now I do not have any other options.
There is "thorough scan" option in OpenVAS which could run w3af in full_audit mode without timeouts set. As I don't like timeouts in sense of time. Is there any "sane" default for normal scan in terms of items scanned or something like that which you would recommend? i.e. scanning only 3 levels deep on web servers, scanning only first 1000 URls found or something like that? >>> - "script_require_ports("Services/www", 80);", actually, w3af can >>> launch a scan on any port that has an HTTP daemon. I don't really know >>> if this situation is covered by these other lines or not: >> Services/www means: any web server found (regardless of http/https). >> 80 means as fallback, if port 80 is open... > Ok, nice. > Nice, I'm starting to like openvas even more ;) Nice thing is that actually, the script will run itself on all www ports itself without any additional logic (i.e. if web ports are found on port 80,443,8080 and 8000 = the script would run on all of them). That reminded me to fix the bug in filename generation - Thanks! :-) >>> I think that adding w3af to openvas is a good idea, it will give you >>> guys some advantages over nessus, and on the other side, w3af will be >>> more widespread. The only problem I see is that openvas users could be >>> inclined to think that running w3af inside openvas is "100% accurate", >>> which is not, because openvas will only be able to show some of w3af's >>> settings, features, etc. >> Anyway, people using automatic scanners should be aware that the scanner is >> only there to help... We can put some kind of disclaimer if you think will >> help (in description of plugin or/and report). > Yes, I would appreciate that. Done. Kost ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop