Hi, thanks for your reply. But if I understood correctly, W3AF is able to cover all Top 10 OWASP risks (using different plugins) but it's not 100% accurate right?
Also does W3AF test web services? Thanks Davide On 20 April 2011 02:32, Steve Pinkham <[email protected]> wrote: > On 04/19/2011 07:44 PM, davide sozzi wrote: >> Hi all, >> >> I am looking around for a web security scanner and I was checking >> various tool then I found W3AF, Well since this is all new stuff for >> me I was wondering, what's the W3AF Top 10 OWASP coverage? Also what >> kind of files are scanned by W3AF? >> >> I am sorry but I couldn't find the answer to these questions on the FAQ >> section. >> >> Thanks >> >> Davide > > We don't evaluate scanners that way. > > Here's why: > https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf > > There is no scanner on earth capable of finding everything in the top > 10. Even if you narrow it down to SQL Injection which is a subset of A1 > - Injection flaws from OWASP top 10, there is no scanner out there which > can find every instance of it. > > w3af has plugins for most things that are automateable. It has a fairly > broad coverage, but has some bugs that make it miss a number of things > still. Much like any other scanner. > > See this blog for some relevant info limited to recent XSS and SQL > injection testing: http://sectooladdict.blogspot.com/ > > Of course, since this test everyone has been trying to up their game to > pass it to, and so far in the free space > arachni(https://github.com/Zapotek/arachni) has done the best job on > XSS, and there were some good tools in that report for SQL injection. > > At the moment, w3af excels at finding the "wierd" stuff. No other free > tool has the breadth it has. > > See the "audit" and "Grep" parts of this page for the things you are > asking for. > > http://w3af.sourceforge.net/plugin-descriptions.php > > The more interesting ones are the discovery plugins. The problem most > scanners have is not as much "can I find the flaws" but "can I find > requests to test for flaws in the first place". > > The question you are not asking and the one you really need answered is, > "what am I expecting automated tools to do for me". > Even at the tens of thousands of dollars a year level, the tools require > much babysitting and tuning to get any decent results. > > tl;dr: w3af works on all technologies, and finds many classes of flaws, > if not in all circumstances. Experience is still more important then > tooling in Application Security, and I highly recommend you grab > something like Web Security Dojo or Samurai and Moth and see how the > tools work, what the limitations are, and how to discern false positives > for yourself. > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
