Hi Martin, thanks for the advice. I am studying some plugins know so I can be
more interiorized with the project. Please let me know if I can help with some
active topic, anyway I will be writing soon to clarify doubts.
Thanks again
Date: Tue, 22 Nov 2011 09:03:26 +0100
From: mar...@swende.se
To: gastont...@hotmail.com
CC: w3af-develop@lists.sourceforge.net
Subject: Re: [W3af-develop] Joining the group
On 11/22/2011 05:55 AM, Gaston Toth wrote:
Hi everybody, I'm new here so fisrt of all I will introduce
myself, I'm Gaston Toth and I'm from Rio Negro (Argentina). I
want to join this group of developers because I think it is a
great opportunity to help and at the same time to learn from the
experts.
To start working I think I could code a simple plugin to
fingerprint joomla, I read an article that says it is possible
to do it by getting the md5 sum of some files which change
across versions.
For example the file: "/includes/js/joomla.javascript.js" could
be used.
At this point I have some questions to ask:
- How many files are necesary to fingerprint the software more
accurately without losing efficiency?
- It's necesary to do it recursively? What if the site have
various installations of joomla?
- If I don't find none of the files checked, what should I
inform?
(Any extra help will be really appreciated)
Thanks in advance,
Gaston Toth
Hi Gaston,
Welcome to the list! I dont want to dissuade you from participating
in w3af, but I'd like to mention a tool called blindelephant
(https://community.qualys.com/community/blindelephant). Blind
Elephant is a fingerprinter for common CMS:es, among other Joomla.
As I understand it, they check out each revision of the code base
and use that information to create a binary search-tree. When the
tool is then used, it sends the minimum amount of request needed in
order to exactly determine what cvs/svn/foo-version is used on the
server.
It seems that joomla is supported there already
(http://blindelephant.svn.sourceforge.net/viewvc/blindelephant/trunk/src/blindelephant/dbs/)
. These kinds of fingerprinters, imho, should be produced in an
automated way - it's just too much work to keep such fingerprints
up-to-date by manually entering files and paths for each revision.
Just my 5 cents.
Regards,
Martin Holst Swende
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
