With regards to AJAX support, that is a very weak area in security scanners at
the moment, and a real opportunity for someone like W3AF to get the jump on the
problem and get ahead of the curve (and, therefore, increase adoption). My
personal bias is the extensive adoption of GWT ajax technology and lack of
supporting security scanning.
>From a user point of view, there are two different points of interest:
-comprehensive scanning (i.e. wivet/etc to create the crawl list, which doesn't
identify ajax calls that well).
-specific/user-driven scanning(usually accomplish user interacting with a
record proxy, which captures the HTTP ajax request/responses. Think Jmeter
recording proxies).
However, with AJAX there is a single problem to work with -- a single action
(button or hyperlink click) will make 0-N ajax requests (or normal non-ajax
requests). It isn't a one-to-one, nor is it a 'page' from normal security
scanning (i.e. the crawler problem). Also, there are poll/push ajax requests,
but that is for another time.
Probably the best approach is combining a crawler (that follows
buttons/clickable divs/etc) with a proxy recorder for the time being just to
re-use what already exists and (mostly) works to get the items that need an
actual security scan from a comprehensive point of view, and just re-use the
proxy recorder for the specific user driven scans.
The actual security review of the requests/responses once you have the list,
well, I'll leave that to the more knowledgeable folks...which coincides with
previous discussions about authenticated sessions over the span of the
scan/security review, which is also relevant to ajax :-)
my two coppers from an outside point of view,
-D
=============
1. Re: [W3af-develop] W3AF for enterprise? (Andres Riancho)
>> For the future - we really need more powerful AJAX support:
>> ?- FF plugin
>> ?- own parsing engine (webkit+v8)?
>> ?- selenium
>> What do you guys think about these thigns?
>>
>
> All these are on the roadmap. I suggest you check it out ;-)
> I think Andres has made a good plan. ?Just waits to be seen:
> 1) How the funding works out/ how long it lasts
> 2) if lazy lurkers like me get off their butt and contribute more ;-)
>
> Hitting the 1.0 milestone should make w3af much more useful for me, and
> hence easier to justify spending time on. ?Digging in enough to fix a
> few of the major 1.0 bugs seems tough even for the author of the code,
> so it's hard for anyone else to want to touch them.
>
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
