w3af

Email Archive: w3af-users (read-only)

[W3af-users] w3af test environment license

From: Steve Pinkham <steve.pinkham@gm...> - 2010-06-07 21:13

I was wondering what the license was for the w3af test environment.  I
assume it is the same license as w3af(GPL), but that isn't explicitly
stated.

I'm interested at the moment as I'd like to include it as part of the
next version of the Web Security Dojo training VM.  The test environment
includes a number of vulnerability types that are missing from "modern"
vulnerable web targets.  Those would be interesting to have included,
especially as w3af is also installed.

Thanks,

Steve
-- 
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

Thread View

Thread	Author	Date
[W3af-users] w3af test environment license	Steve Pinkham <steve.pinkham@gm...>

Re: [W3af-users] w3af test environment license

From: Andres Riancho <andres.riancho@gm...> - 2010-06-08 11:52

Attachments: Message as HTML

Steve,

    The license is GPLv2, and of course you can use it @ your training.
Please note that moth does NOT include a w3af installation. Thanks!

--
Andres Riancho

El jun 7, 2010 6:13 p.m., "Steve Pinkham" <steve.pinkham@...>
escribió:

I was wondering what the license was for the w3af test environment.  I
assume it is the same license as w3af(GPL), but that isn't explicitly
stated.

I'm interested at the moment as I'd like to include it as part of the
next version of the Web Security Dojo training VM.  The test environment
includes a number of vulnerability types that are missing from "modern"
vulnerable web targets.  Those would be interesting to have included,
especially as w3af is also installed.

Thanks,

Steve
--
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

Re: [W3af-users] w3af test environment license

From: Steve Pinkham <steve.pinkham@gm...> - 2010-06-09 17:41

Andres,
Are you maintaining the version that is in CVS, or is there later code
in another location?
I've found lots of problems due to renames and moves and such in the CVS
version, and don't want to spend a lot of time creating patches if there
is a later fixed version already.

Thanks,

Steve
On 06/08/2010 07:52 AM, Andres Riancho wrote:
> Steve,
> 
>     The license is GPLv2, and of course you can use it @ your training.
> Please note that moth does NOT include a w3af installation. Thanks!
> 
> --
> Andres Riancho
> 
>> El jun 7, 2010 6:13 p.m., "Steve Pinkham" <steve.pinkham@...
>> <mailto:steve.pinkham@...>> escribió:
>>
>> I was wondering what the license was for the w3af test environment.  I
>> assume it is the same license as w3af(GPL), but that isn't explicitly
>> stated.
>>
>> I'm interested at the moment as I'd like to include it as part of the
>> next version of the Web Security Dojo training VM.  The test environment
>> includes a number of vulnerability types that are missing from "modern"
>> vulnerable web targets.  Those would be interesting to have included,
>> especially as w3af is also installed.
>>
>> Thanks,
>>
>> Steve
>> --
>>  | Steven Pinkham, Security Researcher    |
>>  | http://www.mavensecurity.com           |
>>  | GPG public key ID CD31CAFB             |
> 
> --0016e64696e8385a150488836cda--€


-- 
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

[W3af-users] Test environment bugs (was Re: w3af test environment license)

From: Steve Pinkham <steve.pinkham@gm...> - 2010-06-09 18:04

On 06/09/2010 01:41 PM, Steve Pinkham wrote:
> Andres,
> Are you maintaining the version that is in CVS, or is there later code
> in another location?
> I've found lots of problems due to renames and moves and such in the CVS
> version, and don't want to spend a lot of time creating patches if there
> is a later fixed version already.
> 
> Thanks,
> 
> Steve
Please note I'm moving this thread to w3af-develop if anyone on the user
thread wants to follow or respond.

I just installed the latest Moth release (moth-v0.6.7) also has the same
problems. CGIs are broken, swf files are missing, many links have
changed case, etc.  Is the test harness being activley used by anyone in
w3af development(IE, can anyone tell me what passes/fails now, so I
don't break working tests)? Are there unpublished changes? How would you
like to receive patches?

Steve
> On 06/08/2010 07:52 AM, Andres Riancho wrote:
>> Steve,
>>
>>     The license is GPLv2, and of course you can use it @ your training.
>> Please note that moth does NOT include a w3af installation. Thanks!
>>
>> --
>> Andres Riancho
>>
>>> El jun 7, 2010 6:13 p.m., "Steve Pinkham" <steve.pinkham@...
>>> <mailto:steve.pinkham@...>> escribió:
>>>
>>> I was wondering what the license was for the w3af test environment.  I
>>> assume it is the same license as w3af(GPL), but that isn't explicitly
>>> stated.
>>>
>>> I'm interested at the moment as I'd like to include it as part of the
>>> next version of the Web Security Dojo training VM.  The test environment
>>> includes a number of vulnerability types that are missing from "modern"
>>> vulnerable web targets.  Those would be interesting to have included,
>>> especially as w3af is also installed.
>>>
>>> Thanks,
>>>
>>> Steve
>>> --
>>>  | Steven Pinkham, Security Researcher    |
>>>  | http://www.mavensecurity.com           |
>>>  | GPG public key ID CD31CAFB             |
>>
>> --0016e64696e8385a150488836cda--€
> 
> 


-- 
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

Re: [W3af-users] w3af test environment license

From: Andres Riancho <andres.riancho@gm...> - 2010-07-15 19:40

Steven,

On Wed, Jun 9, 2010 at 2:41 PM, Steve Pinkham <steve.pinkham@...> wrote:
> Andres,
> Are you maintaining the version that is in CVS, or is there later code
> in another location?

    The test environment available at [0] should be the latest version
of the test scripts. On the other hand, "moth" virtual machine is a
working implementation of the test environment (mysql, correct
directory permissions, apache and php set to be vulnerable).

[0] http://w3af.svn.sourceforge.net/viewvc/w3af/extras/testEnv/

> I've found lots of problems due to renames and moves and such in the CVS
> version, and don't want to spend a lot of time creating patches if there
> is a later fixed version already.

    Could you please report these issues in a more detailed way? Thanks!

> Thanks,
>
> Steve
> On 06/08/2010 07:52 AM, Andres Riancho wrote:
>> Steve,
>>
>>     The license is GPLv2, and of course you can use it @ your training.
>> Please note that moth does NOT include a w3af installation. Thanks!
>>
>> --
>> Andres Riancho
>>
>>> El jun 7, 2010 6:13 p.m., "Steve Pinkham" <steve.pinkham@...
>>> <mailto:steve.pinkham@...>> escribió:
>>>
>>> I was wondering what the license was for the w3af test environment.  I
>>> assume it is the same license as w3af(GPL), but that isn't explicitly
>>> stated.
>>>
>>> I'm interested at the moment as I'd like to include it as part of the
>>> next version of the Web Security Dojo training VM.  The test environment
>>> includes a number of vulnerability types that are missing from "modern"
>>> vulnerable web targets.  Those would be interesting to have included,
>>> especially as w3af is also installed.
>>>
>>> Thanks,
>>>
>>> Steve
>>> --
>>>  | Steven Pinkham, Security Researcher    |
>>>  | http://www.mavensecurity.com           |
>>>  | GPG public key ID CD31CAFB             |
>>
>> --0016e64696e8385a150488836cda--€
>
>
> --
>  | Steven Pinkham, Security Researcher    |
>  | http://www.mavensecurity.com           |
>  | GPG public key ID CD31CAFB             |
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

Re: [W3af-users] w3af test environment license

From: Steve Pinkham <steve.pinkham@gm...> - 2010-07-19 16:17

Holy latency batman! Apparently the tubes ave been clogged for a month. ;-)


On 07/15/2010 03:39 PM, Andres Riancho wrote:
> Steven,
> 
> On Wed, Jun 9, 2010 at 2:41 PM, Steve Pinkham <steve.pinkham@...> wrote:
>> Andres,
>> Are you maintaining the version that is in CVS, or is there later code
>> in another location?
> 
>     The test environment available at [0] should be the latest version
> of the test scripts. On the other hand, "moth" virtual machine is a
> working implementation of the test environment (mysql, correct
> directory permissions, apache and php set to be vulnerable).
> 
> [0] http://w3af.svn.sourceforge.net/viewvc/w3af/extras/testEnv/

Good to know.  Since I sent the message I found the flaws were in both
the cvs and Moth.

>> I've found lots of problems due to renames and moves and such in the CVS
>> version, and don't want to spend a lot of time creating patches if there
>> is a later fixed version already.
> 
>     Could you please report these issues in a more detailed way? Thanks!
> 

I will.. Unfortunately by now I've forgotten what most of them were.

If you load up moth and browse around you'll find plenty of things that
don't work.

I like the "LinkChecker" firefox plugin myself.

Here's a few I've turned up:

audit/buffer overflows 404
audit/format strings 404

In the captcha image at http://10.0.10.143/w3af/discovery/find_captcha/

"Fatal error: Call to undefined function imagecreatetruecolor() in
/var/www/w3af/discovery/find_captcha/securimage.php on line 478 "

Discovery/test the spider leads to a 404 (s/webSpider/web_spider/)

discovery/secure SWF 404 (core/flash/login.swf perhaps? couldn't find
this one)

discovery/google sets and wordnet  404 (looks like it's two separate
links now instead of one)

core tests/analyze 404 (s/timeAnalysis/time_analysis/)
core tests/GPC magic quotes 404


-- 
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |