On 11/03/2010 03:19 PM, Andres Riancho wrote: > but there are currently repeatable > build scripts in the Web Security Dojo git repo that currently match the > Moth w3af test environment bug for bug at the moment. > > > Could you please send me the link to those build scripts?
To currently use the Dojo build scripts, I have a small bootstrap script that installs git and pulls down the git repo: http://sourceforge.net/projects/websecuritydojo/files/Build_Files/bootstrap.sh/download Then most of the work is done in a monolithic build script here: http://websecuritydojo.git.sourceforge.net/git/gitweb.cgi?p=websecuritydojo/websecuritydojo;a=blob;f=build.sh;hb=HEAD Search for "#w3af test environment" to find the relevant part. It also uses this simple diff for apache config, as you'd see in the script: http://websecuritydojo.git.sourceforge.net/git/gitweb.cgi?p=websecuritydojo/websecuritydojo;a=blob;f=targets/w3af_target/w3af_target_apache.diff;hb=HEAD > I'd be happy to > help fix the bugs and adopt it to your needs and/or script additional > targets for the environment. > > > I think we don't have many bugs in moth (at least I couldn't find none > in the Trac, maybe I should search the mailing list!). A new ticket was > created in order to start documenting the ideas we have and the progress > [0]. > > [0] https://sourceforge.net/apps/trac/w3af/ticket/160261 Many of the links are broken, none of the cgi scripts seem to work, and a bunch of other things. I think they were reported around the time you were in talks with rapid7, so were probably distracted. ;-) There was a month between my first report and your reply, so I lost track of a lot of the brokenness.. https://sourceforge.net/mailarchive/message.php?msg_name=4C447AB3.6070705%40gmail.com > vmbuilder plus install scripts should give > a mostly automated, repeatable build process for continued updates and > improvements. > > https://help.ubuntu.com/10.04/serverguide/C/jeos-and-vmbuilder.html > > > I don't have experience with vmbuilder, I'll need to read that document > in a near future to check if it will work for us. Have you built the > dojo VM using it? Which are the Top5 good things about it? And the worse > 5? How much time does it take to learn? I do not use vmbuilder for Dojo, though I have used it for other projects. vmbuilder is focused on creating a small server VM. The benefit is it gives a scriptable way to generate server VMs with packages installed and configured, and user accounts and passwords set up. It can target a number of different virtualization solutions. By swapping one parameter you can build for ISO, KVM, XEN, Virtualbox, VMware, amazon EC2, and other formats. How long it takes to learn depends on what you want to do with it. I would recommend using it to build the base VM, then script the install and configuration inside the VM as a second step. The other option is to build all customisations as debian packages, but down that path lies madness ;-) At least for me. Someday I'll have to figure it all out, but not a packaging guru yet. Steve -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
