Re: [W3af-users] w3af as a service
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] w3af as a service
|
From: Andres R. <and...@gm...> - 2019-06-13 21:20:49
|
Rafael,
Thanks for your interest in w3af and using it to build a SaaS.
Answers and comments inline:
On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva
<raf...@gm...> wrote:
>
> Hello everyone, how are you?
>
> I would like to biuld a service that runs w3af and persists results in a database. The idea is provide a web interface where we can run a scan and also navigate through the results. Have any of you guys done something related and would like to share? And even if you have not done so, would you like to suggest a strategy? What about invoke a scan through the web interface? Is there a way to run multiple instances of w3af scans?
This is how I would do it, and the ways I have heard others have done it:
* The web interface you show to your user needs to know almost
nothing about w3af
* When the user clicks on "start scan" a new w3af scan script [0] is
created. Your SaaS will most likely have 3 or 4 different scan script
templates, for different use-cases your customers might have. The
template is filled with the target URL, credentials, etc. all provided
by the user, and then sent to a scan queue.
* The scans just sit in the queue until one of the scan workers gets to them
* Scan workers are EC2 instances that read scan scripts from the
queue and execute them. If you want to get fancy, you can measure the
scan queue size and do +1 or -1 on the number of scan workers
depending on load
* The scan script should be configured to use output.xml_file output.
This plugin writes data to disk every ~30 seconds or so.
* The scan worker server will run w3af_console -s script AND another
process that monitors the XML file. This process will extract
vulnerabilities from the file and save them to a vulnerabilities
queue. The process that monitors the XML file should only report new
vulnerabilities, no duplicated vulns should be sent to the
vulnerabilities queue.
* Another process will read vulnerabilities from the queue and store
them to the DB. The front-end web application reads vulnerabilities
from the DB. Stuff like marking them as a false positive are handled
in the DB, w3af knows nothing about that.
* Just like there is a queue for vulnerabilities, you could add a
queue for scan progress. The XML file also contains that information.
Makes sense?
[0] https://github.com/andresriancho/w3af/tree/master/scripts
> Sorry about too many questions
> Regards.
> Rafael
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
