w3af-develop Mailing List for w3af (Page 5)
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
w3af-develop — dev list for w3af
You can subscribe to this list here.
| 2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
| 2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
| 2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
| 2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
| 2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
| 2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
| 2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Andres R. <and...@gm...> - 2014-04-29 12:23:07
|
Don,
Welcome, please read inline,
On Tue, Apr 29, 2014 at 8:20 AM, Don Friesch <don...@gm...> wrote:
> Hi all,
>
> I read the post from Andres on the full disclosure mailing list saying that
> you are looking for contributors (and more important - that you aren't
> picky).
Hehe, not I'm not. Actually I like mentoring people
> I've known about w3af for years (since BackTrack 3 I want to say) and have
> always been rooting for you guys. More recently, I've been looking to give
> back to the infosec community. After all, for over a decade it's given me
> tons of awesome free tools, plenty of entertainment and a career. So, here
> I am!
>
> I'm trained as a programmer, but have never worked fulltime in that
> capacity. Mostly I just write throw away scripts to accomplish specific
> tasks. I've never worked on a team of developers and am pretty new to git.
> That said, my Python and web app security knowledge are decent so I'm hoping
> I can contribute something.
Excellent, all sounds good. A mix between dev and security is perfect :)
> Let me what I need to read/do to get up to speed.
I believe this [0] document is the best place to start.
The most important part is that you're doing something YOU enjoy
and get value from. Find a task that brings value to the company you
work for, something that you could show to your boss or team-mates,
something that makes you proud!
[0] https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
> Cheers,
>
> Dan (3rd Degree)
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Don F. <don...@gm...> - 2014-04-29 11:20:10
|
Hi all, I read the post from Andres on the full disclosure mailing list saying that you are looking for contributors (and more important - that you aren't picky). I've known about w3af for years (since BackTrack 3 I want to say) and have always been rooting for you guys. More recently, I've been looking to give back to the infosec community. After all, for over a decade it's given me tons of awesome free tools, plenty of entertainment and a career. So, here I am! I'm trained as a programmer, but have never worked fulltime in that capacity. Mostly I just write throw away scripts to accomplish specific tasks. I've never worked on a team of developers and am pretty new to git. That said, my Python and web app security knowledge are decent so I'm hoping I can contribute something. Let me what I need to read/do to get up to speed. Cheers, Dan (3rd Degree) |
|
From: Andres R. <and...@gm...> - 2014-04-24 21:46:01
|
Owen,
Please read inline,
On Thu, Apr 24, 2014 at 5:02 PM, Owen Tuz <ow...@gm...> wrote:
> Looks like as good a place as any to put a "hello world" message - let me
> know what I can do.
Thanks for saying hi :) New contributors are always welcome!
I've written a small page with the "First steps as a contributor"
[0], which I believe you'll find useful. Let me know if you have any
questions, feel free to contact me (__apr__) at #w3af / freenode.
The guide mentions that you should write a new plugin, but writing
a fix for any of the bugs I linked to is equally good :D
[0] https://github.com/andresriancho/w3af/wiki/First-steps-as-a-contributor
> I'm a server admin with an interest in security (including using w3af to
> test my setups), meaning I have some decent Python experience but less
> overall development experience. Happy to work on anything from docs and code
> cleanup upwards.
>
> Cheers,
>
> Owen
>
>
> On Thu, Apr 24, 2014 at 8:47 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> List,
>>
>> 1.6 was released 24 days ago and I'm happy to say that during
>> these days we've received many "obscure" / rare bug reports [0]. If
>> someone wants to help fix, please let me know, since I'm planning the
>> 1.6.1 release (bug fixes for 1.6) for next month and I really need the
>> help!
>>
>> [0]
>> https://github.com/andresriancho/w3af/issues?milestone=10&page=1&state=open
>>
>> Regards,
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Start Your Social Network Today - Download eXo Platform
>> Build your Enterprise Intranet with eXo Platform Software
>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>> http://p.sf.net/sfu/ExoPlatform
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Owen T. <ow...@gm...> - 2014-04-24 20:02:24
|
Looks like as good a place as any to put a "hello world" message - let me know what I can do. I'm a server admin with an interest in security (including using w3af to test my setups), meaning I have some decent Python experience but less overall development experience. Happy to work on anything from docs and code cleanup upwards. Cheers, Owen On Thu, Apr 24, 2014 at 8:47 PM, Andres Riancho <and...@gm...>wrote: > List, > > 1.6 was released 24 days ago and I'm happy to say that during > these days we've received many "obscure" / rare bug reports [0]. If > someone wants to help fix, please let me know, since I'm planning the > 1.6.1 release (bug fixes for 1.6) for next month and I really need the > help! > > [0] > https://github.com/andresriancho/w3af/issues?milestone=10&page=1&state=open > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > Start Your Social Network Today - Download eXo Platform > Build your Enterprise Intranet with eXo Platform Software > Java Based Open Source Intranet - Social, Extensible, Cloud Ready > Get Started Now And Turn Your Intranet Into A Collaboration Platform > http://p.sf.net/sfu/ExoPlatform > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > |
|
From: Andres R. <and...@gm...> - 2014-04-24 19:48:00
|
List,
1.6 was released 24 days ago and I'm happy to say that during
these days we've received many "obscure" / rare bug reports [0]. If
someone wants to help fix, please let me know, since I'm planning the
1.6.1 release (bug fixes for 1.6) for next month and I really need the
help!
[0] https://github.com/andresriancho/w3af/issues?milestone=10&page=1&state=open
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-04-10 13:25:20
|
Christian, On Thu, Apr 10, 2014 at 9:53 AM, Christian Heinrich <chr...@cm...> wrote: > Andres, > > On Tue, Apr 8, 2014 at 8:39 AM, Andres Riancho <and...@gm...> wrote: >> Were you able to test the latest w3af in Kali? We packaged 1.6.0.1 > > I have added it to my TODO list. > > What is the total time needed to execute the test suite? Don't run the whole test suite, just a couple of scans against your sites > While I am aware that the test suite creates a mock web application, > does the test suite require an Internet connection still? > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Christian H. <chr...@cm...> - 2014-04-10 12:53:35
|
Andres, On Tue, Apr 8, 2014 at 8:39 AM, Andres Riancho <and...@gm...> wrote: > Were you able to test the latest w3af in Kali? We packaged 1.6.0.1 I have added it to my TODO list. What is the total time needed to execute the test suite? While I am aware that the test suite creates a mock web application, does the test suite require an Internet connection still? -- Regards, Christian Heinrich http://cmlh.id.au/contact |
|
From: Andres R. <and...@gm...> - 2014-04-08 13:54:51
|
Jarrod,
Welcome :) How are you interested in contributing? What's your
experience with python and web security? What would you like to learn
while doing this?
On Tue, Apr 8, 2014 at 10:51 AM, Jarrod Coulter <coc...@ho...> wrote:
> Hello world! I am interested in contributing to the w3af project.
>
> Thanks,
> J
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Jarrod C. <coc...@ho...> - 2014-04-08 13:51:39
|
Hello world! I am interested in contributing to the w3af project. Thanks, J |
|
From: Andres R. <and...@gm...> - 2014-04-07 22:39:43
|
Christian, On Sat, Apr 5, 2014 at 10:05 PM, Christian Heinrich <chr...@cm...> wrote: > Andres, > > As far as I am aware there no tests specific to Python and Kali Linux > i.e. https://wiki.debian.org/Python/Packaging#Example_2:_Python_application > > The workflow I use is to create the Kali package then install it on a > "new" Kali VM (I use "snapshots" under VMWare so the test is > repeatable) and execute all the w3af tests within the Kali Linux > terminal itself i.e. not executed as part of the package installation > itself. > > The above might not be clear so I will put a wiki page with > screenshots together and publish it on GitHub. It was clear, thanks. No need for that wiki with screenshots. Were you able to test the latest w3af in Kali? We packaged 1.6.0.1 Regards, > On Fri, Apr 4, 2014 at 10:34 PM, Andres Riancho > <and...@gm...> wrote: >> Christian, >> >> Did you review the changes in the w3af package? What can we >> improve? Could you test the package in a vanilla Kali? >> >> I believe that running all tests is not an option for testing the >> deb package, running all packages simply takes a lot of time. We could >> write one or two tests, with a target of a local webserver, and run a >> simple scan against that... but as with everything I'm doing these >> days, I would like it to be automated. The tool to use in this case >> seems to be auto-pkg-test: any experience with that? >> >> [0] http://packaging.ubuntu.com/html/auto-pkg-test.html >> >> Regards, >> >> On Thu, Apr 3, 2014 at 9:27 PM, Christian Heinrich >> <chr...@cm...> wrote: >>> Andres, >>> >>> The w3af "nose" tests, etc should be executed within the >>> ./DEBIAN/rules file i.e. >>> https://github.com/andresriancho/w3af-kali/blob/master/debian/rules. >>> >>> As far as I am aware there is no Continuous Integration (CI) for Kali >>> Linux however CI should be possible with Tox and Jenkins. You have >>> also raised Tox in the past within >>> https://github.com/andresriancho/w3af/issues/1048 >>> >>> On Fri, Apr 4, 2014 at 1:33 AM, Andres Riancho <and...@gm...> wrote: >>>> How do you believe we can improve the package? Could you run some >>>> tests over it to make sure it works well? Do you believe we could add >>>> some type of automated build + test to the process to make sure it >>>> doesn't break? >>> >>> >>> -- >>> Regards, >>> Christian Heinrich >>> >>> http://cmlh.id.au/contact >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-04-07 22:38:00
|
Just a small update on the w3af API, the priority for it is rather low as you can see in the milestone list [0]. While I'm very interested in this subject, I believe that the other milestones should be completed before. This doesn't mean that the API requires code from the previous milestones, so if anyone wants to start working on it, I'll be happy to assist and help with the writing of some pieces of code. I wrote some ideas around having a minimal API in the w3af wiki [1]. The document is still very trivial, but will be a good starting point for the next things to do. [0] https://github.com/andresriancho/w3af/issues/milestones?with_issues=yes [1] https://github.com/andresriancho/w3af/wiki/REST-API-v1.0 On Thu, Mar 20, 2014 at 12:21 PM, Delaporte, Edward Charles V <del...@il...> wrote: > I'm switching out of lurk mode briefly to say that I'm delighted by the plan to add a REST API, and would be happy to assist. > > This is something my team may well make use of in the future. We do most of our scanning with IBM Rational AppScan at the moment, but I've been considering w3af as a supplement for awhile. > Being able to automate w3af through a REST API would go a long way toward being able to scan a lot more often (our AppScan license is currently booked pretty solidly doing final acceptance scans). > > Once the w3af scan REST API is in prototype stage, I should be able to find some things around here to test it against, and since the technology stack matches ours, I may also be able to submit patches for simple issues. > > - Edward > > Edward Delaporte > > Lead Software Developer, CITES Software Development Group > University of Illinois at Urbana Champaign > > Email: del...@il... > Lync/Cell Phone: 217-244-6420 > > > ________________________________________ > From: w3a...@li... [w3a...@li...] > Sent: Thursday, March 20, 2014 10:09 AM > To: w3a...@li... > Subject: W3af-develop Digest, Vol 74, Issue 3 > > Send W3af-develop mailing list submissions to > w3a...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/w3af-develop > or, via email, send a message with subject or body 'help' to > w3a...@li... > > You can reach the person managing the list at > w3a...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of W3af-develop digest..." > > > Today's Topics: > > 1. Bug fixing sprint (Andres Riancho) > 2. REST API for w3af (Andres Riancho) > 3. Re: REST API for w3af (Bipin Upadhyay) > 4. Re: REST API for w3af (Andres Riancho) > 5. Re: REST API for w3af (Bipin Upadhyay) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 19 Mar 2014 15:48:17 -0300 > From: Andres Riancho <and...@gm...> > Subject: [W3af-develop] Bug fixing sprint > To: "w3a...@li..." > <W3a...@li...> > Message-ID: > <CA+1Rt65oi_H3G2nR9hgJGr=Tom...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > List, > > I've been fixing a lot of the bugs I prioritized last week, these > are the bugs blocking the next release: > > * nosetests w3af/plugins/tests/audit/test_os_commanding.py is unstable > * Broken youtube links and url links > * AssertionError: Can NOT join a stopped consumer > * An exception was found while running audit.os_commanding at > mutant.py:_create_mutants_worker():274 > * pybloomfiltermmap stack overflow crash on startup - Mac OSX blocker > > And you can find them here [0]. If you're interested in helping > out with any of those, you're more than welcome to join the w3af > channel at freenode and speak up! > > [0] https://github.com/andresriancho/w3af/issues?labels=bug&milestone=7&state=open > > Regards, > -- > Andr?s Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > > ------------------------------ > > Message: 2 > Date: Thu, 20 Mar 2014 11:47:00 -0300 > From: Andres Riancho <and...@gm...> > Subject: [W3af-develop] REST API for w3af > To: "w3a...@li..." > <w3a...@li...>, > "w3a...@li..." > <W3a...@li...> > Message-ID: > <CA+1Rt67yxjGOXX3dBAC0tYi3UJ=_V9...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > Lists, > > Talking with different users off-list, I've noticed that the > advanced users want to integrate w3af with other tools, and while this > is possible today (w3af console script + XML output) it is not the > best approach. > > The world is moving towards REST APIs, and we're going there too. > A REST API allows users to spawn a w3af server in their datacenter and > have it run scans of all their web applications, calling it remotely > from continuous integration / delivery systems, etc. > > w3afRemote [1] was an innovative project built by Deb some time > ago, which had the main goals but a different technology stack: > xmlrpc. Together with Deb we've decided to code a REST API wrapper > around w3afCore/kb and make that part of the project. When this is > done you'll be able to run ./w3af_api and have a fully functioning > HTTP daemon exposing the REST API listening on localhost. > > This part of the project is just starting [0]: we have the idea > and some time to dedicate to it. If you want to join us speak now!; > your input is very valuable. > > [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open > [1] http://sourceforge.net/projects/w3afremote/ > > Regards, > -- > Andr?s Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > > ------------------------------ > > Message: 3 > Date: Thu, 20 Mar 2014 16:01:25 +0100 > From: Bipin Upadhyay <mux...@gm...> > Subject: Re: [W3af-develop] REST API for w3af > To: Andres Riancho <and...@gm...> > Cc: "w3a...@li..." > <w3a...@li...>, > "w3a...@li..." > <W3a...@li...> > Message-ID: > <CALCtKA+jQ0JJud_TTnL8eYPpqTsChVXzZ00kDejdoekX5uaX=A...@ma...> > Content-Type: text/plain; charset="utf-8" > > This is good news, Andres! > Is the API list available somewhere for us to see before it's actually > implemented? It's been my personal experience that defining a REST API > properly is vital before getting started with the code. It may provoke a > purist vs non-purist REST debates, but it's mostly works in favor of the > project. > > -- > Bipin Upadhyay > http://projectbee.org/ > > > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...>wrote: > >> Lists, >> >> Talking with different users off-list, I've noticed that the >> advanced users want to integrate w3af with other tools, and while this >> is possible today (w3af console script + XML output) it is not the >> best approach. >> >> The world is moving towards REST APIs, and we're going there too. >> A REST API allows users to spawn a w3af server in their datacenter and >> have it run scans of all their web applications, calling it remotely >> from continuous integration / delivery systems, etc. >> >> w3afRemote [1] was an innovative project built by Deb some time >> ago, which had the main goals but a different technology stack: >> xmlrpc. Together with Deb we've decided to code a REST API wrapper >> around w3afCore/kb and make that part of the project. When this is >> done you'll be able to run ./w3af_api and have a fully functioning >> HTTP daemon exposing the REST API listening on localhost. >> >> This part of the project is just starting [0]: we have the idea >> and some time to dedicate to it. If you want to join us speak now!; >> your input is very valuable. >> >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open >> [1] http://sourceforge.net/projects/w3afremote/ >> >> Regards, >> -- >> Andr?s Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 4 > Date: Thu, 20 Mar 2014 12:06:51 -0300 > From: Andres Riancho <and...@gm...> > Subject: Re: [W3af-develop] REST API for w3af > To: Bipin Upadhyay <mux...@gm...> > Cc: "w3a...@li..." > <w3a...@li...>, > "w3a...@li..." > <W3a...@li...> > Message-ID: > <CA+1Rt64j_pxb7xgL6v23=drz...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > +1 on defining the API before coding. > For now nothing is really defined, any chance you've got the time to > draft the first version in the wiki? > > On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...> wrote: >> This is good news, Andres! >> Is the API list available somewhere for us to see before it's actually >> implemented? It's been my personal experience that defining a REST API >> properly is vital before getting started with the code. It may provoke a >> purist vs non-purist REST debates, but it's mostly works in favor of the >> project. >> >> -- >> Bipin Upadhyay >> http://projectbee.org/ >> >> >> On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...> >> wrote: >>> >>> Lists, >>> >>> Talking with different users off-list, I've noticed that the >>> advanced users want to integrate w3af with other tools, and while this >>> is possible today (w3af console script + XML output) it is not the >>> best approach. >>> >>> The world is moving towards REST APIs, and we're going there too. >>> A REST API allows users to spawn a w3af server in their datacenter and >>> have it run scans of all their web applications, calling it remotely >>> from continuous integration / delivery systems, etc. >>> >>> w3afRemote [1] was an innovative project built by Deb some time >>> ago, which had the main goals but a different technology stack: >>> xmlrpc. Together with Deb we've decided to code a REST API wrapper >>> around w3afCore/kb and make that part of the project. When this is >>> done you'll be able to run ./w3af_api and have a fully functioning >>> HTTP daemon exposing the REST API listening on localhost. >>> >>> This part of the project is just starting [0]: we have the idea >>> and some time to dedicate to it. If you want to join us speak now!; >>> your input is very valuable. >>> >>> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open >>> [1] http://sourceforge.net/projects/w3afremote/ >>> >>> Regards, >>> -- >>> Andr?s Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> W3af-develop mailing list >>> W3a...@li... >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> > > > > -- > Andr?s Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > > ------------------------------ > > Message: 5 > Date: Thu, 20 Mar 2014 16:08:39 +0100 > From: Bipin Upadhyay <mux...@gm...> > Subject: Re: [W3af-develop] REST API for w3af > To: Andres Riancho <and...@gm...> > Cc: "w3a...@li..." > <w3a...@li...>, > "w3a...@li..." > <W3a...@li...> > Message-ID: > <CAL...@ma...> > Content-Type: text/plain; charset="utf-8" > > I'd love to, but haven't played with w3af in a while (change of jobs, > country) > I can assist you though. > > -- > Bipin Upadhyay > http://projectbee.org/ > > > On Thu, Mar 20, 2014 at 4:06 PM, Andres Riancho <and...@gm...>wrote: > >> +1 on defining the API before coding. >> For now nothing is really defined, any chance you've got the time to >> draft the first version in the wiki? >> >> On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...> >> wrote: >> > This is good news, Andres! >> > Is the API list available somewhere for us to see before it's actually >> > implemented? It's been my personal experience that defining a REST API >> > properly is vital before getting started with the code. It may provoke a >> > purist vs non-purist REST debates, but it's mostly works in favor of the >> > project. >> > >> > -- >> > Bipin Upadhyay >> > http://projectbee.org/ >> > >> > >> > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho < >> and...@gm...> >> > wrote: >> >> >> >> Lists, >> >> >> >> Talking with different users off-list, I've noticed that the >> >> advanced users want to integrate w3af with other tools, and while this >> >> is possible today (w3af console script + XML output) it is not the >> >> best approach. >> >> >> >> The world is moving towards REST APIs, and we're going there too. >> >> A REST API allows users to spawn a w3af server in their datacenter and >> >> have it run scans of all their web applications, calling it remotely >> >> from continuous integration / delivery systems, etc. >> >> >> >> w3afRemote [1] was an innovative project built by Deb some time >> >> ago, which had the main goals but a different technology stack: >> >> xmlrpc. Together with Deb we've decided to code a REST API wrapper >> >> around w3afCore/kb and make that part of the project. When this is >> >> done you'll be able to run ./w3af_api and have a fully functioning >> >> HTTP daemon exposing the REST API listening on localhost. >> >> >> >> This part of the project is just starting [0]: we have the idea >> >> and some time to dedicate to it. If you want to join us speak now!; >> >> your input is very valuable. >> >> >> >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open >> >> [1] http://sourceforge.net/projects/w3afremote/ >> >> >> >> Regards, >> >> -- >> >> Andr?s Riancho >> >> Project Leader at w3af - http://w3af.org/ >> >> Web Application Attack and Audit Framework >> >> Twitter: @w3af >> >> GPG: 0x93C344F3 >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Learn Graph Databases - Download FREE O'Reilly Book >> >> "Graph Databases" is the definitive new guide to graph databases and >> their >> >> applications. Written by three acclaimed leaders in the field, >> >> this first edition is now available. Download your free book today! >> >> http://p.sf.net/sfu/13534_NeoTech >> >> _______________________________________________ >> >> W3af-develop mailing list >> >> W3a...@li... >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > >> >> >> >> -- >> Andr?s Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > > ------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > End of W3af-develop Digest, Vol 74, Issue 3 > ******************************************* > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-04-07 21:23:37
|
List,
If you're interested in the subject of automated detection of DOM
XSS vulnerabilities, I recommend you start following what's going on
on the tpjs [0] project.
I've been creating several issues with questions, feature
requests, etc. and most notably an idea about a REST API for their
tool [1] which would allow us to consume it and have really advanced
DOM-XSS detection support.
[0] https://github.com/neraliu/tpjs/
[1] https://github.com/neraliu/tpjs/issues/8
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Taras <ox...@ox...> - 2014-04-07 19:21:11
|
I think that web 2.0 spider will be the most difficult task from these ones. So yes, your current plan looks ok. -- Taras https://www.oxdef.info -------- Исходное сообщение -------- От: Andres Riancho <and...@gm...> Дата: 06.04.2014 17:15 (GMT+04:00) Кому: Taras <ox...@ox...> Копия: w3a...@li...,"w3a...@li..." <W3a...@li...> Тема: Re: [W3af-develop] Long term goals 1.7 and 1.8 releases Perfect, then our goals are aligned :) I've also added a 1.7.5 release for CSRF scanning support [0], but I'm unsure about the order... what do you think, should this CSRF be in the middle, after or before the other two? [0] https://github.com/andresriancho/w3af/issues?milestone=13&state=open On Sun, Apr 6, 2014 at 7:20 AM, Taras <ox...@ox...> wrote: > Andres, I'm interested in web 2.0 crawler and adding long vuln descs. > > 31.03.2014 22:04, Andres Riancho пишет: > >> List, >> >> The 1.7 release [0] will focus on the following: >> * Add long vulnerability descriptions for users to be able to >> better understand what was found >> * Have better WAVSEP and sqlmap testenv coverage >> >> While the 1.8 release [1] will focus on writing a crawler capable >> of clicking through web applications which heavily use JavaScript. >> >> If you want to help with any of those tasks, let me know! >> Contributors are always welcome :) >> >> [0] >> https://github.com/andresriancho/w3af/issues?milestone=3&page=1&state=open >> [1] >> https://github.com/andresriancho/w3af/issues?milestone=9&page=1&state=open >> >> Regards, >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-04-06 13:15:43
|
Perfect, then our goals are aligned :) I've also added a 1.7.5 release for CSRF scanning support [0], but I'm unsure about the order... what do you think, should this CSRF be in the middle, after or before the other two? [0] https://github.com/andresriancho/w3af/issues?milestone=13&state=open On Sun, Apr 6, 2014 at 7:20 AM, Taras <ox...@ox...> wrote: > Andres, I'm interested in web 2.0 crawler and adding long vuln descs. > > 31.03.2014 22:04, Andres Riancho пишет: > >> List, >> >> The 1.7 release [0] will focus on the following: >> * Add long vulnerability descriptions for users to be able to >> better understand what was found >> * Have better WAVSEP and sqlmap testenv coverage >> >> While the 1.8 release [1] will focus on writing a crawler capable >> of clicking through web applications which heavily use JavaScript. >> >> If you want to help with any of those tasks, let me know! >> Contributors are always welcome :) >> >> [0] >> https://github.com/andresriancho/w3af/issues?milestone=3&page=1&state=open >> [1] >> https://github.com/andresriancho/w3af/issues?milestone=9&page=1&state=open >> >> Regards, >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Taras <ox...@ox...> - 2014-04-06 10:20:32
|
Andres, I'm interested in web 2.0 crawler and adding long vuln descs. 31.03.2014 22:04, Andres Riancho пишет: > List, > > The 1.7 release [0] will focus on the following: > * Add long vulnerability descriptions for users to be able to > better understand what was found > * Have better WAVSEP and sqlmap testenv coverage > > While the 1.8 release [1] will focus on writing a crawler capable > of clicking through web applications which heavily use JavaScript. > > If you want to help with any of those tasks, let me know! > Contributors are always welcome :) > > [0] https://github.com/andresriancho/w3af/issues?milestone=3&page=1&state=open > [1] https://github.com/andresriancho/w3af/issues?milestone=9&page=1&state=open > > Regards, > -- Taras https://www.oxdef.info |
|
From: Christian H. <chr...@cm...> - 2014-04-06 01:13:01
|
Andres, As far as I am aware there no tests specific to Python and Kali Linux i.e. https://wiki.debian.org/Python/Packaging#Example_2:_Python_application The workflow I use is to create the Kali package then install it on a "new" Kali VM (I use "snapshots" under VMWare so the test is repeatable) and execute all the w3af tests within the Kali Linux terminal itself i.e. not executed as part of the package installation itself. The above might not be clear so I will put a wiki page with screenshots together and publish it on GitHub. On Fri, Apr 4, 2014 at 10:34 PM, Andres Riancho <and...@gm...> wrote: > Christian, > > Did you review the changes in the w3af package? What can we > improve? Could you test the package in a vanilla Kali? > > I believe that running all tests is not an option for testing the > deb package, running all packages simply takes a lot of time. We could > write one or two tests, with a target of a local webserver, and run a > simple scan against that... but as with everything I'm doing these > days, I would like it to be automated. The tool to use in this case > seems to be auto-pkg-test: any experience with that? > > [0] http://packaging.ubuntu.com/html/auto-pkg-test.html > > Regards, > > On Thu, Apr 3, 2014 at 9:27 PM, Christian Heinrich > <chr...@cm...> wrote: >> Andres, >> >> The w3af "nose" tests, etc should be executed within the >> ./DEBIAN/rules file i.e. >> https://github.com/andresriancho/w3af-kali/blob/master/debian/rules. >> >> As far as I am aware there is no Continuous Integration (CI) for Kali >> Linux however CI should be possible with Tox and Jenkins. You have >> also raised Tox in the past within >> https://github.com/andresriancho/w3af/issues/1048 >> >> On Fri, Apr 4, 2014 at 1:33 AM, Andres Riancho <and...@gm...> wrote: >>> How do you believe we can improve the package? Could you run some >>> tests over it to make sure it works well? Do you believe we could add >>> some type of automated build + test to the process to make sure it >>> doesn't break? >> >> >> -- >> Regards, >> Christian Heinrich >> >> http://cmlh.id.au/contact > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Regards, Christian Heinrich http://cmlh.id.au/contact |
|
From: Andres R. <and...@gm...> - 2014-04-04 11:35:07
|
Christian,
Did you review the changes in the w3af package? What can we
improve? Could you test the package in a vanilla Kali?
I believe that running all tests is not an option for testing the
deb package, running all packages simply takes a lot of time. We could
write one or two tests, with a target of a local webserver, and run a
simple scan against that... but as with everything I'm doing these
days, I would like it to be automated. The tool to use in this case
seems to be auto-pkg-test: any experience with that?
[0] http://packaging.ubuntu.com/html/auto-pkg-test.html
Regards,
On Thu, Apr 3, 2014 at 9:27 PM, Christian Heinrich
<chr...@cm...> wrote:
> Andres,
>
> The w3af "nose" tests, etc should be executed within the
> ./DEBIAN/rules file i.e.
> https://github.com/andresriancho/w3af-kali/blob/master/debian/rules.
>
> As far as I am aware there is no Continuous Integration (CI) for Kali
> Linux however CI should be possible with Tox and Jenkins. You have
> also raised Tox in the past within
> https://github.com/andresriancho/w3af/issues/1048
>
> On Fri, Apr 4, 2014 at 1:33 AM, Andres Riancho <and...@gm...> wrote:
>> How do you believe we can improve the package? Could you run some
>> tests over it to make sure it works well? Do you believe we could add
>> some type of automated build + test to the process to make sure it
>> doesn't break?
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Christian H. <chr...@cm...> - 2014-04-04 00:27:29
|
Andres, The w3af "nose" tests, etc should be executed within the ./DEBIAN/rules file i.e. https://github.com/andresriancho/w3af-kali/blob/master/debian/rules. As far as I am aware there is no Continuous Integration (CI) for Kali Linux however CI should be possible with Tox and Jenkins. You have also raised Tox in the past within https://github.com/andresriancho/w3af/issues/1048 On Fri, Apr 4, 2014 at 1:33 AM, Andres Riancho <and...@gm...> wrote: > How do you believe we can improve the package? Could you run some > tests over it to make sure it works well? Do you believe we could add > some type of automated build + test to the process to make sure it > doesn't break? -- Regards, Christian Heinrich http://cmlh.id.au/contact |
|
From: Andres R. <and...@gm...> - 2014-04-03 14:34:16
|
Christian,
That's great, thanks! I've been talking with muts at the
#kali-linux channel about packaging the latest w3af version and we've
done some great progress. I believe that we're almost there :) If
you're already used to how Kali packages stuff, this [0] should be a
good starting point for you.
How do you believe we can improve the package? Could you run some
tests over it to make sure it works well? Do you believe we could add
some type of automated build + test to the process to make sure it
doesn't break?
[0] http://git.kali.org/gitweb/?p=packages/w3af.git;a=summary
Regards,
On Wed, Apr 2, 2014 at 12:30 AM, Christian Heinrich
<chr...@cm...> wrote:
> Andres,
>
> I can assist and have maintained a package for Kali Linux since December 2012.
>
> On Wed, Apr 2, 2014 at 2:47 AM, Andres Riancho <and...@gm...> wrote:
>> List,
>>
>> Anyone with experience packaging software for Debian/Ubuntu who
>> wants to help out? I would like to create a set of scripts which are
>> run each time I push to the repository, that will create the .deb
>> file, install it in a chroot and test that it works by running a scan.
>>
>> Volunteers?
>>
>> Regards,
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-users mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Christian H. <chr...@cm...> - 2014-04-02 03:56:05
|
Andres, I can assist and have maintained a package for Kali Linux since December 2012. On Wed, Apr 2, 2014 at 2:47 AM, Andres Riancho <and...@gm...> wrote: > List, > > Anyone with experience packaging software for Debian/Ubuntu who > wants to help out? I would like to create a set of scripts which are > run each time I push to the repository, that will create the .deb > file, install it in a chroot and test that it works by running a scan. > > Volunteers? > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-users -- Regards, Christian Heinrich http://cmlh.id.au/contact |
|
From: Andres R. <and...@gm...> - 2014-04-02 02:08:00
|
Jordan, On Tue, Apr 1, 2014 at 10:39 PM, Jordan Metzmeier <tit...@gm...> wrote: > On Tue, Apr 1, 2014 at 10:47 AM, Andres Riancho > <and...@gm...> wrote: >> List, >> >> Anyone with experience packaging software for Debian/Ubuntu who >> wants to help out? I would like to create a set of scripts which are >> run each time I push to the repository, that will create the .deb >> file, install it in a chroot and test that it works by running a scan. >> >> Volunteers? >> > > You will be interested in DEP-8 which are sepecifications of > autopkgtest. It's used for testing binary Debian packages. It has > schroot support for testing inside of a chroot. > > http://dep.debian.net/deps/dep8/ Exactly, I was looking into [0]. It looks like ubuntu provides a "SaaS" for running the tests also. [0] http://packaging.ubuntu.com/html/auto-pkg-test.html > -- > Regards, > Jordan Metzmeier > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Jordan M. <tit...@gm...> - 2014-04-02 01:39:41
|
On Tue, Apr 1, 2014 at 10:47 AM, Andres Riancho <and...@gm...> wrote: > List, > > Anyone with experience packaging software for Debian/Ubuntu who > wants to help out? I would like to create a set of scripts which are > run each time I push to the repository, that will create the .deb > file, install it in a chroot and test that it works by running a scan. > > Volunteers? > You will be interested in DEP-8 which are sepecifications of autopkgtest. It's used for testing binary Debian packages. It has schroot support for testing inside of a chroot. http://dep.debian.net/deps/dep8/ -- Regards, Jordan Metzmeier |
|
From: Andres R. <and...@gm...> - 2014-04-01 15:47:48
|
List,
Anyone with experience packaging software for Debian/Ubuntu who
wants to help out? I would like to create a set of scripts which are
run each time I push to the repository, that will create the .deb
file, install it in a chroot and test that it works by running a scan.
Volunteers?
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-31 18:05:07
|
List,
The 1.7 release [0] will focus on the following:
* Add long vulnerability descriptions for users to be able to
better understand what was found
* Have better WAVSEP and sqlmap testenv coverage
While the 1.8 release [1] will focus on writing a crawler capable
of clicking through web applications which heavily use JavaScript.
If you want to help with any of those tasks, let me know!
Contributors are always welcome :)
[0] https://github.com/andresriancho/w3af/issues?milestone=3&page=1&state=open
[1] https://github.com/andresriancho/w3af/issues?milestone=9&page=1&state=open
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-31 12:55:32
|
Similar thing happens with https://github.com/andresriancho/w3af/commits/oxdef , please confirm I can remove. On Mon, Mar 31, 2014 at 9:42 AM, Andres Riancho <and...@gm...> wrote: > Taras, > > There is a branch [0] which hasn't been touched in 3 years, and I > was wondering if I could remove it. I believe this branch came from > the SVN migration, and doesn't have anything useful in it, but I'll > wait for your confirmation before removing. Thanks! > > [0] https://github.com/andresriancho/w3af/tree/taras > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
28 messages has been excluded from this view by a project administrator.
