Re: [W3af-develop] Searching in req/res sqlite database
Status: Beta
Brought to you by:
andresriancho
From: Taras <ta...@se...> - 2009-08-13 19:52:56
|
Hi, Patrick! > I use w3af more for its manual testing abilities than for the whole automated > stuff, which is why I'm mostly interested in the spiderMan plugin / the proxy > taras is currently writing. Not that I think the automated plugins are bad, I > just don't use them much, if at all. Automated plugins often makes webapp pentesting easily ;) And of course it is not full replacement for manual testing, imho. > > So I was looking at the URLs I had already gathered in the "Results" tab of the > GUI (with spiderMan) and noticed that the search function is actually quite > limited. I cannot search in request bodies (e.g. POST data) and I cannot search > in responses at all. > > Having a look at the code saving the requests and responses and the persist.py > sources tells me why: because the request and response object are stored as > pickled blobs of data in the database. This is of course unfortunate if you > want to search in their data. Yes, but we have special separate colunms for search (id, url, code). By the way, at the moment I rewrite w3af DB interface for more complex data access. And soon these changes will be in svn. > So my question are: > > - What would you say: would it be a good idea to code the possibility into w3af > to search in _all_ of the request and response data? Hm, what about big data? It seems to be more slower. What kind of data to you want to search in request/response? Examples? > - Is there already work done in this area? At the moment I rewrite DB backend so I can easily make improvements. > - Can you think of any pitfalls or suggestions you may have before I go and code > sth. up, if we agree that this would be nice to have? E.g., performance > issues? > - How's the general development of the database persistence feature coming > along? The code tells me for example that I will be able to set the database > name, but the feature doesn't seem to be activated in the (gtk)UI. Along the > same lines, I see that there's already code to load a database on startup, but > that doesn't seem to be activated, too. Do you want to set DB file path in GUI? -- Taras ---- "Software is like sex: it's better when it's free." - Linus Torvalds |