Don’t write your own web application security scanner

Posted by:

tl;dr Don’t write your own web application security scanner, it is too hard. Contribute to an existing project instead.

Every now and then I receive an email with this format: “I’ve used web scanning tool X for a while and it doesn’t work the way I want. I’m writing my own tool and would like you to help me with some ideas/pointers”. Usually I answer privately, but that doesn’t seem to be scaling, so here’s my public response to all of you.

Writing and ...

Read more →
0

The 1.6 release

Posted by:

After all the wait, expectations, and hard work I present you the 1.6 release:

  • Improved performance: your scans will run faster
  • Improved quality: 1300+ unittests are run after each change to make sure we don’t add any regressions
  • Now you’ll be able to easily integrate w3af into other projects with a simple import w3af
  • Better documentation

New users should follow the usual installation procedure:

If you already have a w3af installation the migration should be fairly easy, just:

The requirements for the latest version have changed, ...

Read more →
0

Testing before Monday’s release

Posted by:

bug squasherEvery now and then I ask for a favor, and… well… now I’m asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn’t have any critical bugs before I merge into develop into master.

I’ve been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things.

All 1300+ unittests PASS in the continuous integration ...

Read more →
0

w3af’s documentation now at readthedocs.org

Posted by:

Last week a pull request to update the French translation of our user’s guide made me focus my attention on our documentation. I started to think about the requirements for a great w3af documentation: feature complete, easy to write, easy for users to contribute, updated, searchable and easy to find. Our documentation met almost none: the last update was almost a year ago, was written in ODT and manually exported to HTML and PDF and wasn’t indexed by any ...

Read more →
0

How w3af uses Continuous Integration

Posted by:

If you’ve talked with me during the last year, you noticed how in love I’m with continuous integration, test driven development and all related with increasing the development speed of a team without compromising quality.

Ten months ago I decided it was time to run w3af’s unit-test suite in a CI system, but due to other more important projects the task was delayed. Finally a couple of weeks ago I ...

Read more →
0

DOM XSS in w3af.org: Fixed!

Posted by:

A couple of days ago I was contacted by Christy Philip Mathew with a short and interesting email:

I was visiting your website and found an XSS Vulnerability. Please find the URL below. Thanks

http://w3af.org/#!prettyPhoto/2,%3Ca%20onclick=%22alert%28/XSS Vulnerability/%29;%22%3E/

My first thought was: “Well, this happens to everyone, lets fix it quickly”. After some minor analysis of the URL (before clicking it, I wasn’t going to click without reading !) I realized that this was a DOM XSS. ...

Read more →
0

import w3af

Posted by:

During the past days I’ve been working on creating a Python “w3af” module. What’s that many may ask! Well, the basic idea is that after the feature branch is done, users will be able to “import w3af” in their Python code and extend the framework more easily.

The ones which will benefit the most with this change are developers which extend w3af, want to include it in other Python tools, etc. It was very difficult to do that before, but it ...

Read more →
0

First w3af workshop

Posted by:

Yesterday I delivered a two hour, free, w3af workshop at the ISSA Charlotte Summit. This was the first workshop of this type I’ve delivered and the experience was great. I’m sure many awesome things will come out of it! The workshop objectives are:

  • Understand how web application scanning works and how w3af is implemented
  • Identify vulnerabilities
  • Vulnerability exploitation
  • Contributing to the project: Create new plugin and submit a pull request at Github

If you’re organizing a conference and would like to ...

Read more →
0
Page 1 of 2 12