.

W3AF Stable - Your thoughts?

<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun May 29, 2011 5:43 am

W3AF Stable - Your thoughts?

Recently, a stable version of W3AF was released and it promised improvements such as less crashes, more stability, new features, etc.

I decided to test this tool, on one of my domains just to see how much it had improved. What I immediately noticed was some of the GUI improvements, and that it seemed more streamlined.

After installation I decided to try the Owasp Top 10, but that Bing module took way too long to execute in my humble opinion, a human could do faster with some Google Kung-Fu  :) In some cases this module could be useful though, but it was unfortunately too slow for me, and it seemed to produce an error each time I ran it, and if I disabled it, it would auto-enable itself  ;)

So I just let the scanner run, on a public test domain for web app scanners, and after a few minutes the scanner had stopped. At least the program didn't crash as it could've in previous versions, instead the crash seemed to have happened in the scanning-engine instead, meaning I would either have to start all over with the scan.

What I did miss mostly, was a "skip" button when running a certain module. I've seen other scanners implement this, and in cases where I had to do a quick check, with a current module running but not producing any useful results, I would skip this module and move on to the more interesting parts.

Of course, I know that if I skip a module I might miss something. But the goal in this case was not the quantity of vulnerabilities, but actually if there was just 1 or several, and so there was  :) (Take it as a quick recon pentest, to find out if the system seems secure to a script kiddie, or similar at first glance or not.)

I haven't tested the stable version thoroughly yet, but I do intend to test it further soon. I can however, already say that there has been many improvements, so if you've avoided this tool in the past due to it was too unstable, then I suggest you take a look for yourself, and perhaps provide some feedback so the developers can improve it further, whether it is public or private does not really matter.


What are your thoughts?

Official Release Notes:
Since our latest w3af release in mid January, and our new windows
installer release a couple of months ago, we've got lots of
encouraging words telling us we are going in the right direction. The
objective was near and we could almost taste it. Having a stable
code-base is no joke, it requires countless hours of writing
unit-tests, running w3af scripts and most importantly: fixing bugs.
Now, finally we're here!

    In this latest release, we bring you a couple of the most
important improvements of our framework:

        * Stable code base, an improvement that will reduce your w3af
crashes to a minimum. We've been working on fixing all of our
long-standing bugs, wrote thousands of lines of doctests and various
types of automation to make sure we can also keep improving without
breaking other sections of the code.

        * Auto-Update, which will allow you to keep your w3af
installation updated without any effort. Always get the latest and
greatest from our contributors!

        * Web Application Payloads, for people that enjoy exploitation
techniques, this is one of the most interesting things you'll see in
web application security! We created various layers of abstraction
around an exploited vulnerability in order to be able to write
payloads that use emulated syscalls to read, write and execute files
on the compromised web server. Keep an eye on the rapid7 community
blog an entry completely dedicated to this subject!

        * PHP static code analyzer, as part of a couple of experiments
and research projects, Javier Andalia created a PHP static code
analyzer that performs tainted mode analysis of PHP code in order to
identify SQL injections, OS Commanding and Remote File Includes. At
this time you can use this very interesting feature as a web
application payload. After exploiting a vulnerability try: "payload
php_sca", that will download the remote PHP code to your box and
analyze it to find more vulnerabilities!

And many others, such as:

        * Refactoring of HTTP cache and GTK user interface code to
store HTTP requests only once on disk (5% performance improvement)
        * Performance improvement in sqlite database by using indexes
(1% performance improvement)
        * Huge w3af code-base refactoring on how URLs are handled.
Moved away from handling URLs as strings into a url_object model. This
reduces the number of times a URL is parsed into its component pieces
(protocol, domain, path, query string, etc.) and put back together
into a string, which clarifies the code and makes it run faster.

We have a stable release, w0000t! Hmmmm.... have we finished? Should
we go home? No! We still have work to do; there are still features and
capabilities we'd like to add. For example,as you read this, we're
working on integrating the multiprocessing module into w3af's code,
with the objective of using more than one CPU core at the same time
and substantially improve our scanning speed. We're also working on
handling of encodings by the use of unicode strings across the whole
framework, and making the user experience more intuitive in the UI.

As usual, you can get our latest installable packages from the
w3af.com [0] website! Just download and enjoy our latest improvements!

[0] http://w3af.sourceforge.net/#download

I'm an InterN0T'er
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 457

Joined: Thu Mar 03, 2011 3:54 am

Post Sun May 29, 2011 9:27 am

Re: W3AF Stable - Your thoughts?

I haven't used w3af since the stable release, so I don't  have anything to add from that front.  But as for the Bing module re-enabling itself, I found that if I had the discovery>userDir enabled, it auto enabled finger(Bing/Google/PKS).  A little digging around Google search results, I found a few people saying that's how the userDir module worked (auto-enabled those 3 finger modules).  I don't know if you had userDir enabled or not, but it could be some other module requiring those.
GSEC, eCPPT, Sec+
<<

andres.riancho

Newbie
Newbie

Posts: 2

Joined: Thu Sep 02, 2010 10:16 am

Post Mon May 30, 2011 7:31 am

Re: W3AF Stable - Your thoughts?

MaXe,

   Thank you for your feedback (although it would have been better to post in to the w3af-users mailing list :). A couple of comments about your feature requests:

  • There is a "auto enable dependencies" setting that's on by default, and can be disabled if you want to. It means that if plugin A depends on plugin B, and plugin A is enabled, plugin B will be auto-enabled. That's in "misc-settings" of the framework.
  • We were not planning a "skip this plugin" button, but that's a great idea. What we had in mind was a "stop the whole discovery phase" button {0} . Just added your feature request {1} for our sprint #14, this means that for the next release your feature should be there :)

   Please keep sending feedback, we're more than happy to code any feature requests that we feel that the community as a whole will like!

{0} http://sourceforge.net/apps/trac/w3af/ticket/148648
{1} https://sourceforge.net/apps/trac/w3af/ticket/164183
Last edited by andres.riancho on Mon May 30, 2011 7:33 am, edited 1 time in total.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon May 30, 2011 3:12 pm

Re: W3AF Stable - Your thoughts?

lorddicranius wrote:I haven't used w3af since the stable release, so I don't  have anything to add from that front.  But as for the Bing module re-enabling itself, I found that if I had the discovery>userDir enabled, it auto enabled finger(Bing/Google/PKS).  A little digging around Google search results, I found a few people saying that's how the userDir module worked (auto-enabled those 3 finger modules).  I don't know if you had userDir enabled or not, but it could be some other module requiring those.


Ah nice, I didn't know that  :) Thanks for the information  ;)

andres.riancho wrote:MaXe,

    Thank you for your feedback (although it would have been better to post in to the w3af-users mailing list :). A couple of comments about your feature requests:

  • There is a "auto enable dependencies" setting that's on by default, and can be disabled if you want to. It means that if plugin A depends on plugin B, and plugin A is enabled, plugin B will be auto-enabled. That's in "misc-settings" of the framework.
  • We were not planning a "skip this plugin" button, but that's a great idea. What we had in mind was a "stop the whole discovery phase" button {0} . Just added your feature request {1} for our sprint #14, this means that for the next release your feature should be there :)

    Please keep sending feedback, we're more than happy to code any feature requests that we feel that the community as a whole will like!

{0} http://sourceforge.net/apps/trac/w3af/ticket/148648
{1} https://sourceforge.net/apps/trac/w3af/ticket/164183



Thanks for taking your time to read the thread, and respond here Andres.

I wrote a little longer reply, but somehow my browser didn't agree with me on that, so I'll write the most important points again. Anyway, the thread here wasn't written to create a bad image around W3AF, it was simply to share my thoughts, and to hear other opinions as well.  :)

About the "auto enable dependencies" function, it's nice that you can turn it off, but I'd rather see a popup asking me that I need to activate a particular plugin, or several (checkboxes), in order to run the specific modules I have checked. This popup should of course, only become activate if a plugin needs to be activated, due to a dependency. Is this a current feature I've missed, when disabling the "auto enable dependencies" feature? :)

It's also very nice that you have added a new "skip" button feature request, and if it is implemented then I'll most likely try it out, and see how well it works  ;)


Best regards,
MaXe
I'm an InterN0T'er

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software