Hi, I would like to run W3AF against a commercial web application which uses similar technologies as Webgoat. Do you think that applications, which you mentioned, will be able to provide some baseline for comparing of results? I need to find if W3AF can correctly detect vulnerabilities in deliberately vulnerable applications before running it against the commercial application. Vulnerable application should be as close as possible to the commercial one in terms of used technologies. Thank you, Vojtěch Polášek
Dne 1.12.2015 v 14:19 Andres Riancho napsal(a): > webgoat is not usually a good target for testing scanners. I would > recommend other applications such as: > * http://testphp.acunetix.com/ > * https://github.com/andresriancho/django-moth > > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek <krec...@gmail.com> wrote: >> Greetings, >> thanks for reply, i will try it out. >> To be exact, I am running W3Af against Owasp Webgoat, which runs on Tomcat. >> Best regards, >> Vojta >> >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a): >>> Vojtěch, >>> >>> Questions are welcome :) >>> >>> I assume you wanted to say JavaScript instead of Java, if JS is >>> heavily used, then yes the web_spider is "almost useless". >>> >>> Well, the scan of the target URL can't be prevented, but if you >>> set the URL to http://target.com/ and disable web_spider, then w3af >>> won't have any parameters to find vulnerabilities in and the target is >>> "ignored" (most likely, haven't tested it). >>> >>> Regards, >>> >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek <krec...@gmail.com> wrote: >>>> Greetings, >>>> my name is Vojtěch Polášek and I am a blind IT student from Czech Republic. >>>> As a part of my bachelor thesis, I am researching some tools for >>>> security analysis of web applications. One of those tools is W3AF, so >>>> expect some questions in near time :-) >>>> I need to perform analysis of Java application, where web_spider is >>>> useless. Therefore I use spider_man plugin. My question is; would it be >>>> possible to prevent initial scan of the URL set as target? >>>> Because it does not make much sense, as all needed input is facilitated >>>> through spider_man. >>>> Thank you for your response and best regards, >>>> Vojtěch Polášek >>>> >>>> ------------------------------------------------------------------------------ >>>> Go from Idea to Many App Stores Faster with Intel(R) XDK >>>> Give your users amazing mobile app experiences with Intel(R) XDK. >>>> Use one codebase in this all-in-one HTML5 development environment. >>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple >>>> OSs. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >>>> _______________________________________________ >>>> W3af-users mailing list >>>> W3af-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> >> ------------------------------------------------------------------------------ >> Go from Idea to Many App Stores Faster with Intel(R) XDK >> Give your users amazing mobile app experiences with Intel(R) XDK. >> Use one codebase in this all-in-one HTML5 development environment. >> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 >> _______________________________________________ >> W3af-users mailing list >> W3af-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
