The OWASP top 10 project, WASC threat classification, and OWASP testing guide should get you on your way to understanding the flaws and what the w3af test results mean.
http://www.owasp.org/index.php/Top_10 http://projects.webappsec.org/Threat-Classification http://www.owasp.org/index.php/Category:OWASP_Testing_Project Testing the scanner against software with known flaws is important, which is why Andres' Moth, my Web Security Dojo, and the OWASP Broken Web Application projects exist. I also highly recommend you work through the OWASP WebGoat which is installed in Dojo and OWASP BWA projects. It is a training class that walks you through what many of the web security flaws are and how to find them. Of course I thing Dojo is the easiest way to install and use WebGoat, but I might be biased ;-) Dojo also includes all the documentation referenced above. http://dojo.mavensecurity.com http://www.bonsai-sec.com/en/research/moth.php http://code.google.com/p/owaspbwa/wiki/ProjectSummary As for w3af specific links, there are a few videos of Andres' talks out there which can be helpful in getting started, and the documentation is much better then most security tools out there. I'd recommend you spend more time learning what the flaws are and how to do manually what the tool tries to do using the resources above. Then if you have w3af specific questions, ask again here. ;-) Steve Alicia Danes wrote: > Hi everyone, > > My name is Jim and I am new to this mailing list and new to the W3af Tool. > I also happen to be a Linux newbie, but I have been working to change > that, and recently go my feet wet with Backtrack 4. > I got interested in W3af ever since my site got hacked. It just so > happens that I woke up this morning to a second attack on my site. > > I wear many hats in my self-run little company and I need to get up to > speed on pen-testing and security quickly. So over the weekend I gave > W3af a try. The trouble is, how do I go about interpreting the results? > The output was readable enough and made sense in several areas, but > other areas left me scratching my head. Apologies if this has been asked > before, but are there some hidden or user-written manuals (other than > the official one by the W3af team that I have read) that will help me > learn to decipher and act upon the results somewhat quickly. > > Thanks everyone! I look forward to learning more about the W3af tool and > its many uses! > > Best regards, > > Jim Danes > > ------------------------------------------------------------------------ > Hotmail & Messenger. Get them on your phone now. > <http://go.microsoft.com/?linkid=9724456> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
