Steve,
On Thu, Aug 19, 2010 at 11:07 AM, Steve Pinkham <steve.pink...@gmail.com> wrote:
> On 08/19/2010 06:48 AM, Taras wrote:
>> Hi, all!
>>
>> I have some ideas about things W3AF needs to become enterprise solution:
>> 1. Usable login area scan capabilities. We can make something like in
>> Acunetix (How it made in other scanners).
>> e.g. special (plain text) files with auth information:
>> - login request
>> - logout request
>> - check session request
>> We can record it with our proxy tool
>
> The hard part of this is that for this to be trustworthy, you really
> need checkpointing/rollback support. I have no idea how hard this would
> be to implement, but Andres has pretty much said in the past it won't
> happen. Maybe with fresh funding and eyeballs this will be possible? I
> see session management is listed in ticket #147987 on milestone 1.3,
> but without any mention of how to handle the interval between the last
> and current login check.
>
> http://sourceforge.net/apps/trac/w3af/query?status=assigned&status=new&status=accepted&status=reopened&group=status&milestone=1.3
The rapid7 sponsored full time employee for w3af will join the Web
Application Security Center of Excelence on Sep 6. I'll be working on
w3af's roadmap over the next weeks, where I'll change the priorities
of the tasks a little bit. At the beginning I'll assign him simple
tasks so he can understand the framework, and then we'll be able to
get the most out of him when he has deep understanding of it :)
>> 2. URLrewrite support (Apache,Lighttpd) - it looks like not very hard to
>> implement
> This is also on the roadmap for 1.3. Of course if you do it, it can
> happen faster. ;-)
I still have to think how the project will be developed in the
future. It will of course continue to be GPLv2, open source, free; but
with the new developer joining we need to have a more predictable way
of developing our project. Rapid7 uses SCRUM and I'm just starting to
learn the methodology (which I think is great). The challenge will be
to learn how to use SCRUM in an open source project.
>> 3. Web interface - Django or webpy?
> Not a bad idea if someone really wants to work on it. It's not a small
> job. Note that metasploit had this and abandoned it as it was hard to
> maintain multiple interfaces, and the web interface never got some of
> the features of the other interfaces due to being harder to develop for.
> I'd say this is much lower priority then anything up to milestone 1.3
> anyway. As with all things, if you really think it's important, go
> ahead; nobody will stop you, but nobody will probably help either ;-)
I think that Steve has a good point with the: "if you really think
it's important, go ahead; nobody will stop you, but nobody will
probably help either ;-)" but at the same point, I think that the
roadmap should have clear priorities, influenced by all. If after
talking to 10 ppl, 8 tell me that the web UI is important for them,
then the roadmap should reflect that fact. On the other hand, we don't
want contributors developing "cowboy" style and without respecting the
roadmap, since that will be negative for the developer (their patch
couldn't make it to the trunk and they would see this as "working for
nothing") and the community (that developer time which could have been
used in the right way, was used for something that dindn't make it to
the trunk)
>> 4. At least of course "enterprise level" reporting - PDF with nice pictures
>> :)
>
> Probably at the level of contribution w3af has at the moment, html2pdf,
> wkhtmltopdf or similar is the best way to get PDF.
Yep, that could be a good way but... for doing that, you still have to
have a nice HTML report :P
>> For the future - we really need more powerful AJAX support:
>> - FF plugin
>> - own parsing engine (webkit+v8)?
>> - selenium
>> What do you guys think about these thigns?
>>
>
> All these are on the roadmap. I suggest you check it out ;-)
> I think Andres has made a good plan. Just waits to be seen:
> 1) How the funding works out/ how long it lasts
> 2) if lazy lurkers like me get off their butt and contribute more ;-)
>
> Hitting the 1.0 milestone should make w3af much more useful for me, and
> hence easier to justify spending time on. Digging in enough to fix a
> few of the major 1.0 bugs seems tough even for the author of the code,
> so it's hard for anyone else to want to touch them.
>
> --
> | Steven Pinkham, Security Researcher |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
