Posted by: andres.riancho
Prepare yourself for great news: Holm Security, an information security solutions provider based in Sweden, is sponsoring the w3af project!
Holm Security is a company focused on automated and continuous vulnerability assessments for network, web and fraud prevention. Their platform is called Holm Security VMP where VMP stands for Vulnerability Management Platform.
w3af is one of the key components in their web scanning ...
Read more →Posted by: andres.riancho
Today I spent the evening improving the `html_file` plugin, which is used to generate HTML reports based on w3af’s findings. The old version had many issues, the main being that it used hard-coded HTML string concatenation to create the report (uff!) and an encoding bug which was stopping users from generating reports in some edge cases. Since fixing the hard-coded HTML issue also fixed the encoding bug, I decided to go ahead and Read more →
Posted by: andres.riancho
Interested in learning more about web application security and Python? Join our mentorship program! I’m offering to guide three students in a 1 month learning process where they’ll learn by doing.
This is the first of hopefully many of these mentorship programs, the basics are:
tl;dr Don’t write your own web application security scanner, it is too hard. Contribute to an existing project instead.
Every now and then I receive an email with this format: “I’ve used web scanning tool X for a while and it doesn’t work the way I want. I’m writing my own tool and would like you to help me with some ideas/pointers”. Usually I answer privately, but that doesn’t seem to be scaling, so here’s my public response to all of you.
Writing and ...
Read more →Posted by: andres.riancho
Going to be at BlackHat this year? I’ll be there too! Come visit our booth at the BlackHat Arsenal on Thursday 7 August: Breakers JK – Station 2 12:45 – 14:45.
I’ll be showing the new framework features with demos and source code.
Read more →Posted by: andres.riancho
After all the wait, expectations, and hard work I present you the 1.6 release:
New users should follow the usual installation procedure:
If you already have a w3af installation the migration should be fairly easy, just:
The requirements for the latest version have changed, ...
Read more →Posted by: andres.riancho
Every now and then I ask for a favor, and… well… now I’m asking for one! The next release will be on Monday, and I need you to test w3af to make sure it doesn’t have any critical bugs before I merge into develop into master.
I’ve been working hard on fixing a ton of bugs, improving performance, continuous integration and many other things.
All 1300+ unittests PASS in the continuous integration ...
Read more →Last week a pull request to update the French translation of our user’s guide made me focus my attention on our documentation. I started to think about the requirements for a great w3af documentation: feature complete, easy to write, easy for users to contribute, updated, searchable and easy to find. Our documentation met almost none: the last update was almost a year ago, was written in ODT and manually exported to HTML and PDF and wasn’t indexed by any ...
Read more →If you’ve talked with me during the last year, you noticed how in love I’m with continuous integration, test driven development and all related with increasing the development speed of a team without compromising quality.
Ten months ago I decided it was time to run w3af’s unit-test suite in a CI system, but due to other more important projects the task was delayed. Finally a couple of weeks ago I ...
Read more →Posted by: andres.riancho
A couple of days ago I was contacted by Christy Philip Mathew with a short and interesting email:
I was visiting your website and found an XSS Vulnerability. Please find the URL below. Thanks
http://w3af.org/#!prettyPhoto/2,%3Ca%20onclick=%22alert%28/XSS Vulnerability/%29;%22%3E/
My first thought was: “Well, this happens to everyone, lets fix it quickly”. After some minor analysis of the URL (before clicking it, I wasn’t going to click without reading !) I realized that this was a DOM XSS. ...
Read more →