Thanks a lot Andres!

Makes a lot of sense.

Is there any DB would you recommend?

Regards.
Rafael

Em qui, 13 de jun de 2019 às 18:20, Andres Riancho <andres.rian...@gmail.com>
escreveu:

> Rafael,
>
>     Thanks for your interest in w3af and using it to build a SaaS.
> Answers and comments inline:
>
> On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva
> <rafae...@gmail.com> wrote:
> >
> > Hello everyone, how are you?
> >
> > I would like to biuld a service that runs w3af and persists results in a
> database. The idea is provide a web interface where we can run a scan and
> also navigate through the results. Have any of you guys done something
> related and would like to share? And even if you have not done so, would
> you like to suggest a strategy? What about invoke a scan through the web
> interface? Is there a way to run multiple instances of w3af scans?
>
>     This is how I would do it, and the ways I have heard others have done
> it:
>
>  * The web interface you show to your user needs to know almost
> nothing about w3af
>
>  * When the user clicks on "start scan" a new w3af scan script [0] is
> created. Your SaaS will most likely have 3 or 4 different scan script
> templates, for different use-cases your customers might have. The
> template is filled with the target URL, credentials, etc. all provided
> by the user, and then sent to a scan queue.
>
>  * The scans just sit in the queue until one of the scan workers gets to
> them
>
>  * Scan workers are EC2 instances that read scan scripts from the
> queue and execute them. If you want to get fancy, you can measure the
> scan queue size and do +1 or -1 on the number of scan workers
> depending on load
>
>  * The scan script should be configured to use output.xml_file output.
> This plugin writes data to disk every ~30 seconds or so.
>
>  * The scan worker server will run w3af_console -s script AND another
> process that monitors the XML file. This process will extract
> vulnerabilities from the file and save them to a vulnerabilities
> queue. The process that monitors the XML file should only report new
> vulnerabilities, no duplicated vulns should be sent to the
> vulnerabilities queue.
>
>   * Another process will read vulnerabilities from the queue and store
> them to the DB. The front-end web application reads vulnerabilities
> from the DB. Stuff like marking them as a false positive are handled
> in the DB, w3af knows nothing about that.
>
>   * Just like there is a queue for vulnerabilities, you could add a
> queue for scan progress. The XML file also contains that information.
>
>     Makes sense?
>
> [0] https://github.com/andresriancho/w3af/tree/master/scripts
>
> > Sorry about too many questions
> > Regards.
> > Rafael
> > _______________________________________________
> > W3af-users mailing list
> > W3af-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to