Re: [W3af-users] Several w3af questions and issues
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] Several w3af questions and issues
|
From: Andres R. <and...@gm...> - 2015-10-12 20:31:03
|
Ziadmo1,
On Tue, Sep 29, 2015 at 12:35 PM, ziadmo1 . <zi...@gm...> wrote:
> Point 1)
> I will try to take a video later this week, but to reproduce the issue:
> a) Select the OWASP_TOP10 profile, right click, "Save configuration to a new
> profile"
> b) Save new profile as Custom / Custom
> c) Dis select the Infrastructure plugin, and right click on the Custom
> profile, then "Save configuration to profile"
> d) Select any other profile on the list
> e) Come back to the Custom profile, the plugin Infrastructure is still
> selected as if it was never unchecked.
I run a-d, but then I see the expected result: the infrastructure
plugin family is disabled. This is my w3af version information:
Python version: 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2]
GTK version: 2.24.23
PyGTK version: 2.24.0
w3af version:
w3af - Web Application Attack and Audit Framework
Version: 1.7.6
Revision: d7cb405316 - 09 oct 2015 21:26
Branch: master
Local changes: No
Author: Andres Riancho and the w3af team.
What's yours?
> Point 3) I really wish I can contribute, but I am not a programmer :P If I
> can help with other things such as testing, I would be more than happy to do
> so.
>
> Point 4) Can I suggest to make saves every lets say 10 or 20 seconds? This
> will prevent losing results of a 1-4 hours scan.
Like I said in the previous email, this is already done in the latest w3af.
> Point 5) This is an issue as I scanned a site, w3af happily took all of the
> memory available, and if I provide it with more memory, it just keep taking
> it. At some point it used 8GB of memory and w3af crashed as there was no
> more memory to consume... Ideally, w3af should be given a specified amount
> of memory, or have some configuration options to restrict the amount of
> memory it can use.
I haven't seen any tools that work like that. The fix would be to
identify the memory leak and refactor the code so that it doesn't
consume all your memory.
> Thanks for all the efforts on this project, I find w3af a great tool for the
> Security community.
>
>
>
> On Mon, Sep 28, 2015 at 11:15 AM, Andres Riancho <and...@gm...>
> wrote:
>>
>> Ziadmo,
>>
>> On Thu, Sep 24, 2015 at 3:01 PM, ziadmo1 . <zi...@gm...> wrote:
>> > Point 1)
>> > Not sure if its a bug or not.. When I create a custom profile (based on
>> > OWASP top 10 for example), the changes don't take effect on the newly
>> > saved
>> > custom profile. For example, if I disable "infrastructure", and I click
>> > "save configuration to profile", then I select any other profile, when I
>> > get
>> > back to the "custom" profile I just created, I still see
>> > "infrastructure" as
>> > part of that profile.
>>
>> Failed to reproduce this issue on my workstation. Using the same
>> version you're. Could you send us a detailed step by step or video to
>> better understand the problem?
>>
>>
>> > Point 2)
>> > Which plugin or option is this output generated from?
>> >
>> > Created 27 mutants for "Method: POST | https://XXX.XXX.XXX | URL encoded
>> > form: (category, subcategory, postal_code, distance, validated,
>> > form_build_id, form_id, op)" (post data: 24, query string: 3)
>>
>> That's generated by audit plugins. They receive a fuzzable request
>> (similar to what a browser/regular user would send) and create mutants
>> (modified, ugly versions of the original request).
>>
>> >
>> > Point 3)
>> > When I Stop the scan through w3af_gui, in the console output the core is
>> > still running, and therefore I am forced to hit Ctrl-C.. At that point I
>> > lose all the output that I had generated so far (results, etc).
>>
>> Yep, known bug which sucks. You either wait for stop to work or
>> contribute to the project to fix the issue :)
>>
>> >
>> > Point 4)
>> > When the scan is running, I did not see the HTML output file generated
>> > under
>> > ~/ which where it usually saves it. Does it wait until the scan is
>> > completely done to save contents to it?
>>
>> Before you had to wait. In the last month I modified output plugins to
>> write stuff to disk every N seconds (not sure what N is).
>>
>> That change might be only in develop branch.
>>
>> > This is why when I do Ctrl-C on step
>> > 4 I lose all output, since there is nothing saved on the file. I would
>> > suggest creating the file as soon as the scan starts and fill it up as
>> > the
>> > scan goes so output is not lost if for whatever reason the scan takes
>> > too
>> > long or if w3af freezes for example.
>> >
>> >
>> > Point 5)
>> > Is there a way to specify how much system memory w3af_gui can use?
>>
>> No
>>
>> > Under
>> >
>> > http://docs.w3af.org/en/latest/advanced-tips-tricks.html?highlight=memory
>> >
>> > it mentions the cache size of "10", but what does 10 refers to in terms
>> > of
>> > memory?
>>
>> There is no way to know. This is the result of parsing an HTML page.
>> HTML pages can be huge in KB, but have only 2 links and 1 form, or be
>> really compact and with thousands of links
>>
>> >
>> >
>> > I am using Version 1.7.6 through Kali Linux 2.0.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > W3af-users mailing list
>> > W3a...@li...
>> > https://lists.sourceforge.net/lists/listinfo/w3af-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
