Rafael,
Thanks for your interest in w3af and using it to build a SaaS.
Answers and comments inline:
On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva
<[email protected]> wrote:
>
> Hello everyone, how are you?
>
> I would like to biuld a service that runs w3af and persists results in a
> database. The idea is provide a web interface where we can run a scan and
> also navigate through the results. Have any of you guys done something
> related and would like to share? And even if you have not done so, would you
> like to suggest a strategy? What about invoke a scan through the web
> interface? Is there a way to run multiple instances of w3af scans?
This is how I would do it, and the ways I have heard others have done it:
* The web interface you show to your user needs to know almost
nothing about w3af
* When the user clicks on "start scan" a new w3af scan script [0] is
created. Your SaaS will most likely have 3 or 4 different scan script
templates, for different use-cases your customers might have. The
template is filled with the target URL, credentials, etc. all provided
by the user, and then sent to a scan queue.
* The scans just sit in the queue until one of the scan workers gets to them
* Scan workers are EC2 instances that read scan scripts from the
queue and execute them. If you want to get fancy, you can measure the
scan queue size and do +1 or -1 on the number of scan workers
depending on load
* The scan script should be configured to use output.xml_file output.
This plugin writes data to disk every ~30 seconds or so.
* The scan worker server will run w3af_console -s script AND another
process that monitors the XML file. This process will extract
vulnerabilities from the file and save them to a vulnerabilities
queue. The process that monitors the XML file should only report new
vulnerabilities, no duplicated vulns should be sent to the
vulnerabilities queue.
* Another process will read vulnerabilities from the queue and store
them to the DB. The front-end web application reads vulnerabilities
from the DB. Stuff like marking them as a false positive are handled
in the DB, w3af knows nothing about that.
* Just like there is a queue for vulnerabilities, you could add a
queue for scan progress. The XML file also contains that information.
Makes sense?
[0] https://github.com/andresriancho/w3af/tree/master/scripts
> Sorry about too many questions
> Regards.
> Rafael
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
