Re: [W3af-users] w3af as a service
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
Re: [W3af-users] w3af as a service
|
From: Rafael B. da S. <raf...@gm...> - 2019-06-13 22:08:48
|
Thanks a lot Andres! Makes a lot of sense. Is there any DB would you recommend? Regards. Rafael Em qui, 13 de jun de 2019 às 18:20, Andres Riancho <and...@gm...> escreveu: > Rafael, > > Thanks for your interest in w3af and using it to build a SaaS. > Answers and comments inline: > > On Thu, Jun 13, 2019 at 4:07 PM Rafael Barbosa da Silva > <raf...@gm...> wrote: > > > > Hello everyone, how are you? > > > > I would like to biuld a service that runs w3af and persists results in a > database. The idea is provide a web interface where we can run a scan and > also navigate through the results. Have any of you guys done something > related and would like to share? And even if you have not done so, would > you like to suggest a strategy? What about invoke a scan through the web > interface? Is there a way to run multiple instances of w3af scans? > > This is how I would do it, and the ways I have heard others have done > it: > > * The web interface you show to your user needs to know almost > nothing about w3af > > * When the user clicks on "start scan" a new w3af scan script [0] is > created. Your SaaS will most likely have 3 or 4 different scan script > templates, for different use-cases your customers might have. The > template is filled with the target URL, credentials, etc. all provided > by the user, and then sent to a scan queue. > > * The scans just sit in the queue until one of the scan workers gets to > them > > * Scan workers are EC2 instances that read scan scripts from the > queue and execute them. If you want to get fancy, you can measure the > scan queue size and do +1 or -1 on the number of scan workers > depending on load > > * The scan script should be configured to use output.xml_file output. > This plugin writes data to disk every ~30 seconds or so. > > * The scan worker server will run w3af_console -s script AND another > process that monitors the XML file. This process will extract > vulnerabilities from the file and save them to a vulnerabilities > queue. The process that monitors the XML file should only report new > vulnerabilities, no duplicated vulns should be sent to the > vulnerabilities queue. > > * Another process will read vulnerabilities from the queue and store > them to the DB. The front-end web application reads vulnerabilities > from the DB. Stuff like marking them as a false positive are handled > in the DB, w3af knows nothing about that. > > * Just like there is a queue for vulnerabilities, you could add a > queue for scan progress. The XML file also contains that information. > > Makes sense? > > [0] https://github.com/andresriancho/w3af/tree/master/scripts > > > Sorry about too many questions > > Regards. > > Rafael > > _______________________________________________ > > W3af-users mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > |
