Taras,
On Sun, Feb 20, 2011 at 2:07 PM, Taras <ox...@oxdef.info> wrote:
> Hi, all and sorry for delay!
>
> Andres, as I think creation of new type of plugin needs more
> well-grounded arguments.
Agreed,
> Is only false positive management is enough for
> it? Could you please describe more purpose of this new type of plugin?
I don't have the time now, but I've added a new ticket to Trac for
follow-up [0]. This is a quote from the ticket:
"""
After an exchange of emails, we arrived to a point where more analysis
needs to be done. These are some of the questions that should be
answered:
* Do we need a new type of plugin to post-process the scan results?
* What's the effort associated to creating these plugins?
* Will it benefit the users?
* If we invest the same effort in reducing the false positives
that are generated by the audit/discovery/grep plugins themselves...
wouldn't be solving the real error?
"""
[0] https://sourceforge.net/apps/trac/w3af/ticket/161848
>
>> On Wed, Feb 9, 2011 at 1:00 PM, Taras <ox...@oxdef.info> wrote:
>> > Hi, all!
>> >
>> > I just want to say that I have already made simple falsePositiveManager
>> > for w3af.
>> > It has falsePositiveFile (regex patterns) option in miscSettings. Simply
>> > it can test URL against pattern like this:
>> > ...
>> > app = falsePositiveManager()
>> > app.loadFromList(self.patterns)
>> > ...
>> > self.assertFalse(app.isFalsePositive(goodTarget))
>> > ...
>> >
>> > It can be used in output plugins (it is originally made for it).
>> > In the nearest I will add it to the trunk.
>> > Andres, don't you mind?
>> >
>> >> 1. What do you think about simple false-positive management in w3af?
>> >> For example, we can add capability to read list of regex patterns from
>> >> special file and test them against request before it will be reported. It
>> >> can be useful in automated usage
>> > (scan+reporting) of w3af.
>>
>> I've read through your implementation which is available here [0]. I
>> like the idea, but also think that we could do something better using
>> the framework's features. What do you think about this idea:
>>
>> * Create a new type of plugin (name to be determined)
>> * Create a false_positive remover plugin
>> * The false positive remover plugin would somehow hook itself to
>> every knowledge base write action (save, append methods) and based on
>> user defined rules, remove the false positives.
>> * The user defined rules could be saved as the plugin parameter,
>> and persisted inside the profile (this allows for easy interaction
>> between two w3af users that share profiles) (this would require us to
>> write a better wrapper for the "list type" in the GUI to allow easy
>> access to all user defined rules).
>>
>> After we finish this initial implementation we could write smarter
>> plugins that would have "business rules" like: "If there are more than
>> 10 SQL injection vulnerabilities in the KB, create a new vulnerability
>> that says "you're screwed" " , or something on those lines :P
>>
>> This subject was discussed by Tasos in one of the mailing lists I'm
>> subscribed to, but I don't seem to be able to find the link to it.
>>
>> [0] http://w3af.svn.sourceforge.net/viewvc/w3af?view=revision&revision=4036
>>
>> >
>> > --
>> > Taras <ox...@oxdef.info>
>> >
>> > ------------------------------------------------------------------------------
>> > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> > Pinpoint memory and threading errors before they happen.
>> > Find and fix more than 250 security defects in the development cycle.
>> > Locate bottlenecks in serial and parallel code that limit performance.
>> > http://p.sf.net/sfu/intel-dev2devfeb
>> > _______________________________________________
>> > W3af-develop mailing list
>> > W3af-develop@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >
>>
>>
>>
>
> --
> Taras
> http://oxdef.info
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
