Re: [sqlmap-users] w3af REST API recommendations

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I can't comment on building the API, but I maintain C# bindings to the
sqlmap REST API and, programmatically, it works really well.

There is no authentication, but I only ever run it on localhost anyway so
this isn't a big deal to me.

I have tested it under relatively heavy load (one API instance testing
multiple applications) and it has been performant. I don't recall ever
saying "Man, I wish this were faster".

JSON is totally the way to go for data requests/responses.

One recommendation I have since I deal with many APIs on a daily basis is
please don't assume the programmers will be interacting with your API with
language X. The Metasploit MSGPACK API is a good example of this and is
very cumbersome to use from a strongly typed language. Arachni falls into a
similar field relying on Ruby-style marshalling or YAML which I simply
can't do from, say, C#.

Aside from sqlmap, I also really like the cuckoo-sandbox API.

On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho
<and...@gm...>wrote:

> List,
>
>     I'm going to abuse the list a little bit, and poke your brains for
> a while, so be prepared :)
>
>     The w3af project wants to implement its own REST API to expose the
> w3afCore and KnowledgeBase objects. The core allows users to configure
> the plugins and start the scan, and the knowledge base holds the
> vulnerabilities.
>
>     You guys implemented a REST API for sqlmap, which has been up and
> running for a while now.
>
>     What I wanted to know is:
>         * What's the technology stack you guys used for creating the REST
> API?
>         * Were you happy with it? Would you use something different if
> you had the chance?
>         * Have you tested the API under heavy load?
>         * Do you have the concept of sessions and users in the API? Why
> not?
>         * Any recommendations on API design? (paths, results, hrefs, etc.)
>
>     Thanks!
>
> Regards,
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website