Not really, any DB you know how to use and maintain will make it. El jue., 13 de junio de 2019 7:08 p. m., Rafael Barbosa da Silva < rafae...@gmail.com> escribió:
> Thanks a lot Andres! > > Makes a lot of sense. > > Is there any DB would you recommend? > > Regards. > Rafael > > Em qui, 13 de jun de 2019 às 18:20, Andres Riancho < > andres.rian...@gmail.com> escreveu: > >> Rafael, >> >> Thanks for your interest in w3af and using it to build a SaaS. >> Answers and comments inline: >> >> On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva >> <rafae...@gmail.com> wrote: >> > >> > Hello everyone, how are you? >> > >> > I would like to biuld a service that runs w3af and persists results in >> a database. The idea is provide a web interface where we can run a scan and >> also navigate through the results. Have any of you guys done something >> related and would like to share? And even if you have not done so, would >> you like to suggest a strategy? What about invoke a scan through the web >> interface? Is there a way to run multiple instances of w3af scans? >> >> This is how I would do it, and the ways I have heard others have done >> it: >> >> * The web interface you show to your user needs to know almost >> nothing about w3af >> >> * When the user clicks on "start scan" a new w3af scan script [0] is >> created. Your SaaS will most likely have 3 or 4 different scan script >> templates, for different use-cases your customers might have. The >> template is filled with the target URL, credentials, etc. all provided >> by the user, and then sent to a scan queue. >> >> * The scans just sit in the queue until one of the scan workers gets to >> them >> >> * Scan workers are EC2 instances that read scan scripts from the >> queue and execute them. If you want to get fancy, you can measure the >> scan queue size and do +1 or -1 on the number of scan workers >> depending on load >> >> * The scan script should be configured to use output.xml_file output. >> This plugin writes data to disk every ~30 seconds or so. >> >> * The scan worker server will run w3af_console -s script AND another >> process that monitors the XML file. This process will extract >> vulnerabilities from the file and save them to a vulnerabilities >> queue. The process that monitors the XML file should only report new >> vulnerabilities, no duplicated vulns should be sent to the >> vulnerabilities queue. >> >> * Another process will read vulnerabilities from the queue and store >> them to the DB. The front-end web application reads vulnerabilities >> from the DB. Stuff like marking them as a false positive are handled >> in the DB, w3af knows nothing about that. >> >> * Just like there is a queue for vulnerabilities, you could add a >> queue for scan progress. The XML file also contains that information. >> >> Makes sense? >> >> [0] https://github.com/andresriancho/w3af/tree/master/scripts >> >> > Sorry about too many questions >> > Regards. >> > Rafael >> > _______________________________________________ >> > W3af-users mailing list >> > W3af-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >
_______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
