Andres Riancho wrote:
>>> - In a section of the code it reads: "See the preferences section for
>>> w3af options.", what are those options? How could I read them?
>> Currently, you can only set profile (it's full_audit by default) and
>> verboseness is automatically set if you set verbose globally in OpenVAS. I
>> hope to implement much more features/options...
>> If you think some feature should be immediately implemented, feel free to
>> suggest :)
> hmmm, if the script_timeout variable is set to something reasonable,
> then for now I do not have any other options.

There is "thorough scan" option in OpenVAS which could run w3af in 
full_audit mode without timeouts set. As I don't like timeouts in sense 
of time. Is there any "sane" default for normal scan in terms of items 
scanned or something like that which you would recommend? i.e. scanning 
only 3 levels deep on web servers, scanning only first 1000 URls found 
or something like that?

>>> -  "script_require_ports("Services/www", 80);", actually, w3af can
>>> launch a scan on any port that has an HTTP daemon. I don't really know
>>> if this situation is covered by these other lines or not:
>> Services/www means: any web server found (regardless of http/https).
>> 80 means as fallback, if port 80 is open...
> Ok, nice.
> Nice, I'm starting to like openvas even more ;)

Nice thing is that actually, the script will run itself on all www ports 
itself without any additional logic (i.e. if web ports are found on port 
80,443,8080 and 8000 = the script would run on all of them). That 
reminded me to fix the bug in filename generation - Thanks! :-)

>>> I think that adding w3af to openvas is a good idea, it will give you
>>> guys some advantages over nessus, and on the other side, w3af will be
>>> more widespread. The only problem I see is that openvas users could be
>>> inclined to think that running w3af inside openvas is "100% accurate",
>>> which is not, because openvas will only be able to show some of w3af's
>>> settings, features, etc.
>> Anyway, people using automatic scanners should be aware that the scanner is
>> only there to help... We can put some kind of disclaimer if you think will
>> help (in description of plugin or/and report).
> Yes, I would appreciate that.

Done.

Kost

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to