Hello: I'm hoping to get some feedback on the following issue.
Background We are running the following: - w3af revision 3623 - w3af host: Fedora core <<2.6.33.3-85.fc13.i686.PAE>> - target: custom drupal installation with end user data Objective: - I would like to bring back data for the OWASP-top-10 discovery and audit plugins - discovery allowedMethods, content_negotiation, detectReverseProxy, detectTransparentProxy, digitSum, dir_bruter, domain_dot, favicon_identification, findBackdoor, fingerprint_os, hmap, phpEggs, phpinfo, pykto, robotsReader, serverHeader, serverStatus, slash, urlFuzzer, urllist_txt, webSpider, wordnet, wsdlFinder - audit frontpage, eval, blindSqli, phishingVector, xsrf, mxInjection, preg_replace, localFileInclude, LDAPi, osCommanding, ssi, sqli, buffOverflow, xpath, generic, htaccessMethods, remoteFileInclude, responseSplitting, formatString, globalRedirect, xst, xss, fileUpload Approach: - To begin scoping the scan, I decided to keep it very simple and run **only** the WebSpider and xss plugins. After 3+ days the scan had not completed. This was not tenable. - I then decided to run the owasp-top-10 discovery plugins only. This scan completed overnight and delivered 23,000 lines of output in the text file. I now had a data set to audit. - There were 20022 URIs reported. <<For the purposes of this email, I'm assuming a URI = https://this.is.our.site/go/to/this?name1=value1&name2=value2 - However, I parsed through the output and discovered that there were only ~ 240 unique URIs **if** I ignore the differences in the parameter values. The presence of end user data seems to have ballooned the discovery results. - If I then batch these URIs into groups of ~ 25 and place them after the "set target" directive ***and** only run the xss audit plugin, I can get good results in about 3 hours for all 240 targets. Questions: - I know that w3af is designed to work recursively in that the discovery and audit plugins work back and forth to discover new injection points and find additional URIs/URLs. Is is possible that I am missing true xss vulnerabilities by using the approach above? - I noticed that the XSS plugin **will** discover the allowed methods and parameters for each URL you feed it. If that's the case, then it would seem that this is a legitimate way to scope the scan and save time as the xss plugin will be fuzzing all of the possible injection points? thoughts? ---- Philip J. Hartlieb (PhD.) GSLC / Security+ Systems Engineer "They would take their software out and race it in the black desert of the electronic night." -- Snow Crash ------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
