Taras, On Sat, Dec 27, 2008 at 4:13 PM, Andres Riancho <[email protected]> wrote: > Taras, > > On Tue, Dec 23, 2008 at 11:45 AM, Taras Ivashchenko <[email protected]> > wrote: >> Hello, Andres! >> I would like to contribute it. > > Have you been able to do any progress with this plugin?
I saw that you modified the plugin and that it's working almost as expected. I just wanted to let you know that there is a problem with the plugin! Try to enable the sslCertificate and a discovery.webSpider, and you'll see how the info objects in the kb are created more than one time (actually, one time for every fuzzableRequest that's created by the discovery plugins). I think that you should perform all the checks only one time for each new certificate that is sent to by the remote web server. Cheers, > Thanks! > >> Тарас Иващенко (Taras Ivashchenko) >> -- >> "Software is like sex: it's better when it's free.", - Linus Torvalds. >> >> >> >> >> 2008/12/23 Andres Riancho <[email protected]>: >>> List, >>> >>> I'm looking for a contributor to finish up a small section of the >>> audit.sslCertificate plugin. >>> >>> I've been coding this plugin and I've got to a section where my >>> knowledge is scarce and my research time is *so* limited that I won't >>> be able to do it by myself. My problem is in the "def >>> _analyze_cert(self, cert, ssl_conn):" method of the >>> audit.sslCertificate plugin, where tests related to the SSL >>> certificate of the remote website should be implemented. I've been >>> doing some google searches and I found these links that might help: >>> >>> - http://www.nessus.org/plugins/index.php?view=single&id=26928 >>> - http://www.nessus.org/plugins/index.php?view=single&id=31705 >>> >>> The idea is to check if the ciphers used are safe, if the SSL >>> version is ok, if the certificate has expired or not, if it's self >>> signed, and other security related things about the cert. If you want >>> to help, just download the latest w3af version from the SVN in order >>> to get the latest plugin version, answer this email to the mailing >>> list and just start working =) >>> >>> Thanks in advance! >>> >>> Cheers, >>> -- >>> Andres Riancho >>> http://w3af.sourceforge.net/ >>> Web Application Attack and Audit Framework >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> > > > > -- > Andres Riancho > http://w3af.sourceforge.net/ > Web Application Attack and Audit Framework > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
