On 08/19/2010 06:48 AM, Taras wrote: > Hi, all! > > I have some ideas about things W3AF needs to become enterprise solution: > 1. Usable login area scan capabilities. We can make something like in > Acunetix (How it made in other scanners). > e.g. special (plain text) files with auth information: > - login request > - logout request > - check session request > We can record it with our proxy tool
The hard part of this is that for this to be trustworthy, you really need checkpointing/rollback support. I have no idea how hard this would be to implement, but Andres has pretty much said in the past it won't happen. Maybe with fresh funding and eyeballs this will be possible? I see session management is listed in ticket #147987 on milestone 1.3, but without any mention of how to handle the interval between the last and current login check. http://sourceforge.net/apps/trac/w3af/query?status=assigned&status=new&status=accepted&status=reopened&group=status&milestone=1.3 > 2. URLrewrite support (Apache,Lighttpd) - it looks like not very hard to > implement This is also on the roadmap for 1.3. Of course if you do it, it can happen faster. ;-) > 3. Web interface - Django or webpy? Not a bad idea if someone really wants to work on it. It's not a small job. Note that metasploit had this and abandoned it as it was hard to maintain multiple interfaces, and the web interface never got some of the features of the other interfaces due to being harder to develop for. I'd say this is much lower priority then anything up to milestone 1.3 anyway. As with all things, if you really think it's important, go ahead; nobody will stop you, but nobody will probably help either ;-) > 4. At least of course "enterprise level" reporting - PDF with nice pictures :) Probably at the level of contribution w3af has at the moment, html2pdf, wkhtmltopdf or similar is the best way to get PDF. > For the future - we really need more powerful AJAX support: > - FF plugin > - own parsing engine (webkit+v8)? > - selenium > What do you guys think about these thigns? > All these are on the roadmap. I suggest you check it out ;-) I think Andres has made a good plan. Just waits to be seen: 1) How the funding works out/ how long it lasts 2) if lazy lurkers like me get off their butt and contribute more ;-) Hitting the 1.0 milestone should make w3af much more useful for me, and hence easier to justify spending time on. Digging in enough to fix a few of the major 1.0 bugs seems tough even for the author of the code, so it's hard for anyone else to want to touch them. -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
