On 04/19/2011 07:44 PM, davide sozzi wrote: > Hi all, > > I am looking around for a web security scanner and I was checking > various tool then I found W3AF, Well since this is all new stuff for > me I was wondering, what's the W3AF Top 10 OWASP coverage? Also what > kind of files are scanned by W3AF? > > I am sorry but I couldn't find the answer to these questions on the FAQ > section. > > Thanks > > Davide
We don't evaluate scanners that way. Here's why: https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf There is no scanner on earth capable of finding everything in the top 10. Even if you narrow it down to SQL Injection which is a subset of A1 - Injection flaws from OWASP top 10, there is no scanner out there which can find every instance of it. w3af has plugins for most things that are automateable. It has a fairly broad coverage, but has some bugs that make it miss a number of things still. Much like any other scanner. See this blog for some relevant info limited to recent XSS and SQL injection testing: http://sectooladdict.blogspot.com/ Of course, since this test everyone has been trying to up their game to pass it to, and so far in the free space arachni(https://github.com/Zapotek/arachni) has done the best job on XSS, and there were some good tools in that report for SQL injection. At the moment, w3af excels at finding the "wierd" stuff. No other free tool has the breadth it has. See the "audit" and "Grep" parts of this page for the things you are asking for. http://w3af.sourceforge.net/plugin-descriptions.php The more interesting ones are the discovery plugins. The problem most scanners have is not as much "can I find the flaws" but "can I find requests to test for flaws in the first place". The question you are not asking and the one you really need answered is, "what am I expecting automated tools to do for me". Even at the tens of thousands of dollars a year level, the tools require much babysitting and tuning to get any decent results. tl;dr: w3af works on all technologies, and finds many classes of flaws, if not in all circumstances. Experience is still more important then tooling in Application Security, and I highly recommend you grab something like Web Security Dojo or Samurai and Moth and see how the tools work, what the limitations are, and how to discern false positives for yourself. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
