Andres: > the objective is rather weak. What I would love to see > is this plugin not only identifying the existence of > wicket, but also something like the framework version, > a known vulnerability in the framework, or something > similar.
> What do you think about that? Can it be > achieved? As far as I know, wicket could be crsfed, but is hard to do an even hardest to detect. The forums lightly state that it is not possible, but I did it to an application of another team. I do not know if it was a misconfiguration/bad_practice problem or it is related to wicket itself, as far as the other team neither evaluated nor fixed the issue yet. I will have to wait for their answer. Suppose it is an issue, How does the script report it? It is still a grep plugin, ain't? Meanwhile, I am planning to write one to detect php's symfony framework presence and detect if a post form have csrf protection deactivated (it's activated by default, but sometimes it get in the way of inexpert programmers). I mention it to drive your answer to my questions. About "rather weak": What is w3af philosophy regarding to "true negatives" like detecting a target without known vulnerabilities? How can an user tell that from w3af not knowing anything about the target? As an example, w3af detected that the application was running on top of apache tomcat version XXX (don't remember) from an error message and I have to browse ovsdb, nvd or something like these, I don't remember. It's ok with me. What is the difference from this case? Send me to w3af's documentation without hesitation if the answers are there, keep in mind that I am not lazy, just I have no time. I have a very difficult exam next Monday, I won't see any mail until Tuesday, so answer me with no hurry! Please! You know, w3afing is more fun than studying! Thank you Carlos Pantelides ----------------- http://seguridad-agile.blogspot.com/ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
