On 12/10/2010 05:30 AM, Thiago Stuckert wrote: > Every time I ran w3af I realized that I didn't chose correctly the > plugins because > whenever the program is running it takes a long time and didn't return > good results. > I know that the choice of plugins is influenced by many factors > but I would like to know the generic configuration used by you.
For "spray and pray" scanning I tend to use the "OWASP_TOP_10" profile, with the output htmlFile and textFile plugins turned on. It seems to perform rather well, and much better in the recent versions then it has in the past. If it's a non-public sites, I have a slightly modified copy of the OWASP_TOP_10 preset that turns off the discovery plugins yahooSiteExplorer, bing_spider, and userDir (which depends on and auto-enables on fingerGoogle, fingerBing, fingerPKS unless you turn it off). Note that I mostly only use w3af itself on unauthenticated sites at the moment, and am playing with this for other uses: http://blog.ombrepixel.com/post/2010/09/09/Running-w3af-plugins-in-Burp-Suite > -- > Thiago -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
