Re: [W3af-users] run profile without target
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] run profile without target
|
From: Matt T. <mte...@gm...> - 2015-12-01 16:50:32
|
Vojtech, I'd suggest you look at this project: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project In the "Off-line" tab, there's a list of apps and the technology used to create then. For instance, Bodgeit Store is a Java based vulnerable app: https://github.com/psiinon/bodgeit Best of luck! -- -- Matt Tesauro OWASP AppSec Pipeline Lead https://www.owasp.org/index.php/OWASP_AppSec_Pipeline OWASP WTE Project Lead *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>* http://AppSecLive.org - Community and Download site On Tue, Dec 1, 2015 at 7:42 AM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > I would like to run W3AF against a commercial web application which uses > similar technologies as Webgoat. Do you think that applications, which > you mentioned, will be able to provide some baseline for comparing of > results? > I need to find if W3AF can correctly detect vulnerabilities in > deliberately vulnerable applications before running it against the > commercial application. > Vulnerable application should be as close as possible to the commercial > one in terms of used technologies. > Thank you, > Vojtěch Polášek > > > Dne 1.12.2015 v 14:19 Andres Riancho napsal(a): > > webgoat is not usually a good target for testing scanners. I would > > recommend other applications such as: > > * http://testphp.acunetix.com/ > > * https://github.com/andresriancho/django-moth > > > > On Mon, Nov 30, 2015 at 3:41 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, > >> thanks for reply, i will try it out. > >> To be exact, I am running W3Af against Owasp Webgoat, which runs on > Tomcat. > >> Best regards, > >> Vojta > >> > >> Dne 30.11.2015 v 18:54 Andres Riancho napsal(a): > >>> Vojtěch, > >>> > >>> Questions are welcome :) > >>> > >>> I assume you wanted to say JavaScript instead of Java, if JS is > >>> heavily used, then yes the web_spider is "almost useless". > >>> > >>> Well, the scan of the target URL can't be prevented, but if you > >>> set the URL to http://target.com/ and disable web_spider, then w3af > >>> won't have any parameters to find vulnerabilities in and the target is > >>> "ignored" (most likely, haven't tested it). > >>> > >>> Regards, > >>> > >>> On Mon, Nov 30, 2015 at 2:48 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >>>> Greetings, > >>>> my name is Vojtěch Polášek and I am a blind IT student from Czech > Republic. > >>>> As a part of my bachelor thesis, I am researching some tools for > >>>> security analysis of web applications. One of those tools is W3AF, so > >>>> expect some questions in near time :-) > >>>> I need to perform analysis of Java application, where web_spider is > >>>> useless. Therefore I use spider_man plugin. My question is; would it > be > >>>> possible to prevent initial scan of the URL set as target? > >>>> Because it does not make much sense, as all needed input is > facilitated > >>>> through spider_man. > >>>> Thank you for your response and best regards, > >>>> Vojtěch Polášek > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Go from Idea to Many App Stores Faster with Intel(R) XDK > >>>> Give your users amazing mobile app experiences with Intel(R) XDK. > >>>> Use one codebase in this all-in-one HTML5 development environment. > >>>> Design, debug & build mobile apps & 2D/3D high-impact games for > multiple OSs. > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >>>> _______________________________________________ > >>>> W3af-users mailing list > >>>> W3a...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users > >>> > >> > >> > ------------------------------------------------------------------------------ > >> Go from Idea to Many App Stores Faster with Intel(R) XDK > >> Give your users amazing mobile app experiences with Intel(R) XDK. > >> Use one codebase in this all-in-one HTML5 development environment. > >> Design, debug & build mobile apps & 2D/3D high-impact games for > multiple OSs. > >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > >> _______________________________________________ > >> W3af-users mailing list > >> W3a...@li... > >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > > > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users > |
