I'm switching out of lurk mode briefly to say that I'm delighted by the plan to
add a REST API, and would be happy to assist.
This is something my team may well make use of in the future. We do most of our
scanning with IBM Rational AppScan at the moment, but I've been considering
w3af as a supplement for awhile.
Being able to automate w3af through a REST API would go a long way toward being
able to scan a lot more often (our AppScan license is currently booked pretty
solidly doing final acceptance scans).
Once the w3af scan REST API is in prototype stage, I should be able to find
some things around here to test it against, and since the technology stack
matches ours, I may also be able to submit patches for simple issues.
- Edward
Edward Delaporte
Lead Software Developer, CITES Software Development Group
University of Illinois at Urbana Champaign
Email: delap...@illinois.edu
Lync/Cell Phone: 217-244-6420
________________________________________
From: w3af-develop-requ...@lists.sourceforge.net
[w3af-develop-requ...@lists.sourceforge.net]
Sent: Thursday, March 20, 2014 10:09 AM
To: w3af-develop@lists.sourceforge.net
Subject: W3af-develop Digest, Vol 74, Issue 3
Send W3af-develop mailing list submissions to
w3af-develop@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/w3af-develop
or, via email, send a message with subject or body 'help' to
w3af-develop-requ...@lists.sourceforge.net
You can reach the person managing the list at
w3af-develop-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of W3af-develop digest..."
Today's Topics:
1. Bug fixing sprint (Andres Riancho)
2. REST API for w3af (Andres Riancho)
3. Re: REST API for w3af (Bipin Upadhyay)
4. Re: REST API for w3af (Andres Riancho)
5. Re: REST API for w3af (Bipin Upadhyay)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Mar 2014 15:48:17 -0300
From: Andres Riancho <andres.rian...@gmail.com>
Subject: [W3af-develop] Bug fixing sprint
To: "w3af-develop@lists.sourceforge.net"
<W3af-develop@lists.sourceforge.net>
Message-ID:
<CA+1Rt65oi_H3G2nR9hgJGr=tom_yfgd4lxc6ocdrvo63qwi...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
List,
I've been fixing a lot of the bugs I prioritized last week, these
are the bugs blocking the next release:
* nosetests w3af/plugins/tests/audit/test_os_commanding.py is unstable
* Broken youtube links and url links
* AssertionError: Can NOT join a stopped consumer
* An exception was found while running audit.os_commanding at
mutant.py:_create_mutants_worker():274
* pybloomfiltermmap stack overflow crash on startup - Mac OSX blocker
And you can find them here [0]. If you're interested in helping
out with any of those, you're more than welcome to join the w3af
channel at freenode and speak up!
[0]
https://github.com/andresriancho/w3af/issues?labels=bug&milestone=7&state=open
Regards,
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 2
Date: Thu, 20 Mar 2014 11:47:00 -0300
From: Andres Riancho <andres.rian...@gmail.com>
Subject: [W3af-develop] REST API for w3af
To: "w3af-us...@lists.sourceforge.net"
<w3af-us...@lists.sourceforge.net>,
"w3af-develop@lists.sourceforge.net"
<W3af-develop@lists.sourceforge.net>
Message-ID:
<CA+1Rt67yxjGOXX3dBAC0tYi3UJ=_v9muhbp6dzab0ef_f-t...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Lists,
Talking with different users off-list, I've noticed that the
advanced users want to integrate w3af with other tools, and while this
is possible today (w3af console script + XML output) it is not the
best approach.
The world is moving towards REST APIs, and we're going there too.
A REST API allows users to spawn a w3af server in their datacenter and
have it run scans of all their web applications, calling it remotely
from continuous integration / delivery systems, etc.
w3afRemote [1] was an innovative project built by Deb some time
ago, which had the main goals but a different technology stack:
xmlrpc. Together with Deb we've decided to code a REST API wrapper
around w3afCore/kb and make that part of the project. When this is
done you'll be able to run ./w3af_api and have a fully functioning
HTTP daemon exposing the REST API listening on localhost.
This part of the project is just starting [0]: we have the idea
and some time to dedicate to it. If you want to join us speak now!;
your input is very valuable.
[0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
[1] http://sourceforge.net/projects/w3afremote/
Regards,
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 3
Date: Thu, 20 Mar 2014 16:01:25 +0100
From: Bipin Upadhyay <muxical.g...@gmail.com>
Subject: Re: [W3af-develop] REST API for w3af
To: Andres Riancho <andres.rian...@gmail.com>
Cc: "w3af-us...@lists.sourceforge.net"
<w3af-us...@lists.sourceforge.net>,
"w3af-develop@lists.sourceforge.net"
<W3af-develop@lists.sourceforge.net>
Message-ID:
<CALCtKA+jQ0JJud_TTnL8eYPpqTsChVXzZ00kDejdoekX5uaX=a...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
This is good news, Andres!
Is the API list available somewhere for us to see before it's actually
implemented? It's been my personal experience that defining a REST API
properly is vital before getting started with the code. It may provoke a
purist vs non-purist REST debates, but it's mostly works in favor of the
project.
--
Bipin Upadhyay
http://projectbee.org/
On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Lists,
>
> Talking with different users off-list, I've noticed that the
> advanced users want to integrate w3af with other tools, and while this
> is possible today (w3af console script + XML output) it is not the
> best approach.
>
> The world is moving towards REST APIs, and we're going there too.
> A REST API allows users to spawn a w3af server in their datacenter and
> have it run scans of all their web applications, calling it remotely
> from continuous integration / delivery systems, etc.
>
> w3afRemote [1] was an innovative project built by Deb some time
> ago, which had the main goals but a different technology stack:
> xmlrpc. Together with Deb we've decided to code a REST API wrapper
> around w3afCore/kb and make that part of the project. When this is
> done you'll be able to run ./w3af_api and have a fully functioning
> HTTP daemon exposing the REST API listening on localhost.
>
> This part of the project is just starting [0]: we have the idea
> and some time to dedicate to it. If you want to join us speak now!;
> your input is very valuable.
>
> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
> [1] http://sourceforge.net/projects/w3afremote/
>
> Regards,
> --
> Andr?s Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Thu, 20 Mar 2014 12:06:51 -0300
From: Andres Riancho <andres.rian...@gmail.com>
Subject: Re: [W3af-develop] REST API for w3af
To: Bipin Upadhyay <muxical.g...@gmail.com>
Cc: "w3af-us...@lists.sourceforge.net"
<w3af-us...@lists.sourceforge.net>,
"w3af-develop@lists.sourceforge.net"
<W3af-develop@lists.sourceforge.net>
Message-ID:
<CA+1Rt64j_pxb7xgL6v23=drzqk2yrmgurekhxqr4fapygvb...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
+1 on defining the API before coding.
For now nothing is really defined, any chance you've got the time to
draft the first version in the wiki?
On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <muxical.g...@gmail.com> wrote:
> This is good news, Andres!
> Is the API list available somewhere for us to see before it's actually
> implemented? It's been my personal experience that defining a REST API
> properly is vital before getting started with the code. It may provoke a
> purist vs non-purist REST debates, but it's mostly works in favor of the
> project.
>
> --
> Bipin Upadhyay
> http://projectbee.org/
>
>
> On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <andres.rian...@gmail.com>
> wrote:
>>
>> Lists,
>>
>> Talking with different users off-list, I've noticed that the
>> advanced users want to integrate w3af with other tools, and while this
>> is possible today (w3af console script + XML output) it is not the
>> best approach.
>>
>> The world is moving towards REST APIs, and we're going there too.
>> A REST API allows users to spawn a w3af server in their datacenter and
>> have it run scans of all their web applications, calling it remotely
>> from continuous integration / delivery systems, etc.
>>
>> w3afRemote [1] was an innovative project built by Deb some time
>> ago, which had the main goals but a different technology stack:
>> xmlrpc. Together with Deb we've decided to code a REST API wrapper
>> around w3afCore/kb and make that part of the project. When this is
>> done you'll be able to run ./w3af_api and have a fully functioning
>> HTTP daemon exposing the REST API listening on localhost.
>>
>> This part of the project is just starting [0]: we have the idea
>> and some time to dedicate to it. If you want to join us speak now!;
>> your input is very valuable.
>>
>> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
>> [1] http://sourceforge.net/projects/w3afremote/
>>
>> Regards,
>> --
>> Andr?s Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 5
Date: Thu, 20 Mar 2014 16:08:39 +0100
From: Bipin Upadhyay <muxical.g...@gmail.com>
Subject: Re: [W3af-develop] REST API for w3af
To: Andres Riancho <andres.rian...@gmail.com>
Cc: "w3af-us...@lists.sourceforge.net"
<w3af-us...@lists.sourceforge.net>,
"w3af-develop@lists.sourceforge.net"
<W3af-develop@lists.sourceforge.net>
Message-ID:
<calctka+30rzj89gytz1kpprhm4hk8_yn9zwtvlep82zncud...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I'd love to, but haven't played with w3af in a while (change of jobs,
country)
I can assist you though.
--
Bipin Upadhyay
http://projectbee.org/
On Thu, Mar 20, 2014 at 4:06 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> +1 on defining the API before coding.
> For now nothing is really defined, any chance you've got the time to
> draft the first version in the wiki?
>
> On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <muxical.g...@gmail.com>
> wrote:
> > This is good news, Andres!
> > Is the API list available somewhere for us to see before it's actually
> > implemented? It's been my personal experience that defining a REST API
> > properly is vital before getting started with the code. It may provoke a
> > purist vs non-purist REST debates, but it's mostly works in favor of the
> > project.
> >
> > --
> > Bipin Upadhyay
> > http://projectbee.org/
> >
> >
> > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <
> andres.rian...@gmail.com>
> > wrote:
> >>
> >> Lists,
> >>
> >> Talking with different users off-list, I've noticed that the
> >> advanced users want to integrate w3af with other tools, and while this
> >> is possible today (w3af console script + XML output) it is not the
> >> best approach.
> >>
> >> The world is moving towards REST APIs, and we're going there too.
> >> A REST API allows users to spawn a w3af server in their datacenter and
> >> have it run scans of all their web applications, calling it remotely
> >> from continuous integration / delivery systems, etc.
> >>
> >> w3afRemote [1] was an innovative project built by Deb some time
> >> ago, which had the main goals but a different technology stack:
> >> xmlrpc. Together with Deb we've decided to code a REST API wrapper
> >> around w3afCore/kb and make that part of the project. When this is
> >> done you'll be able to run ./w3af_api and have a fully functioning
> >> HTTP daemon exposing the REST API listening on localhost.
> >>
> >> This part of the project is just starting [0]: we have the idea
> >> and some time to dedicate to it. If you want to join us speak now!;
> >> your input is very valuable.
> >>
> >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
> >> [1] http://sourceforge.net/projects/w3afremote/
> >>
> >> Regards,
> >> --
> >> Andr?s Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Learn Graph Databases - Download FREE O'Reilly Book
> >> "Graph Databases" is the definitive new guide to graph databases and
> their
> >> applications. Written by three acclaimed leaders in the field,
> >> this first edition is now available. Download your free book today!
> >> http://p.sf.net/sfu/13534_NeoTech
> >> _______________________________________________
> >> W3af-develop mailing list
> >> W3af-develop@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andr?s Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
End of W3af-develop Digest, Vol 74, Issue 3
*******************************************
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
