Steve,
On Wed, Nov 3, 2010 at 5:22 PM, Steve Pinkham <steve.pink...@gmail.com>wrote:
> On 11/03/2010 03:19 PM, Andres Riancho wrote:
> > but there are currently repeatable
> > build scripts in the Web Security Dojo git repo that currently match
> the
> > Moth w3af test environment bug for bug at the moment.
> >
> >
> > Could you please send me the link to those build scripts?
>
> To currently use the Dojo build scripts, I have a small bootstrap script
> that installs git and pulls down the git repo:
>
>
> http://sourceforge.net/projects/websecuritydojo/files/Build_Files/bootstrap.sh/download
>
> Then most of the work is done in a monolithic build script here:
>
> http://websecuritydojo.git.sourceforge.net/git/gitweb.cgi?p=websecuritydojo/websecuritydojo;a=blob;f=build.sh;hb=HEAD
>
> Search for "#w3af test environment" to find the relevant part.
>
> It also uses this simple diff for apache config, as you'd see in the
> script:
>
> http://websecuritydojo.git.sourceforge.net/git/gitweb.cgi?p=websecuritydojo/websecuritydojo;a=blob;f=targets/w3af_target/w3af_target_apache.diff;hb=HEAD
>
>
I like the idea of having such a script that handles all the steps of
configuring the VM, it gives you the power of transforming any ubuntu into a
100% vulnerable one :)
The only issue I see is that it might be an overkill for our situation.
> > I'd be happy to
> > help fix the bugs and adopt it to your needs and/or script additional
> > targets for the environment.
> >
> >
> > I think we don't have many bugs in moth (at least I couldn't find none
> > in the Trac, maybe I should search the mailing list!). A new ticket was
> > created in order to start documenting the ideas we have and the progress
> > [0].
> >
> > [0] https://sourceforge.net/apps/trac/w3af/ticket/160261
>
> Many of the links are broken, none of the cgi scripts seem to work, and
> a bunch of other things. I think they were reported around the time you
> were in talks with rapid7, so were probably distracted. ;-) There was a
> month between my first report and your reply, so I lost track of a lot
> of the brokenness..
>
>
> https://sourceforge.net/mailarchive/message.php?msg_name=4C447AB3.6070705%40gmail.com
>
Great! I translated all these issues into different trac tickets:
* https://sourceforge.net/apps/trac/w3af/ticket/160273
* https://sourceforge.net/apps/trac/w3af/ticket/160271
And linked them to the main task:
* https://sourceforge.net/apps/trac/w3af/ticket/160261
> > vmbuilder plus install scripts should give
> > a mostly automated, repeatable build process for continued updates
> and
> > improvements.
> >
> > https://help.ubuntu.com/10.04/serverguide/C/jeos-and-vmbuilder.html
> >
> >
> > I don't have experience with vmbuilder, I'll need to read that document
> > in a near future to check if it will work for us. Have you built the
> > dojo VM using it? Which are the Top5 good things about it? And the worse
> > 5? How much time does it take to learn?
>
> I do not use vmbuilder for Dojo, though I have used it for other projects.
> vmbuilder is focused on creating a small server VM. The benefit is it
> gives a scriptable way to generate server VMs with packages installed
> and configured, and user accounts and passwords set up. It can target a
> number of different virtualization solutions. By swapping one parameter
> you can build for ISO, KVM, XEN, Virtualbox, VMware, amazon EC2, and
> other formats.
>
> How long it takes to learn depends on what you want to do with it. I
> would recommend using it to build the base VM, then script the install
> and configuration inside the VM as a second step. The other option is
> to build all customisations as debian packages, but down that path lies
> madness ;-) At least for me. Someday I'll have to figure it all out,
> but not a packaging guru yet.
>
I think that at least for moth, all this is an overkill. When time comes,
we'll see how we handle the problem. For now, we're working on our current
sprint issues :)
Do you have any other ideas, vulnerable web applications, etc. we could add
to moth?
>
> Steve
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
