Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion

search


This page contains all of the posts and discussion on MemeStreams referencing the following web page: W3af: Web Application Attack and Audit Framework. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

W3af: Web Application Attack and Audit Framework
by Acidus at 11:19 am EDT, Oct 19, 2007

Caleb and I joke that the conference talk we most want to give, but (for various legal reasons) will never be able to give, is how to write a modern web scanner.

This architecture looks a lot like what we would discuss. But, as always, there are things that are essential that it fails to address (so far)

-Manual JavaScript? Can a brother get some Spidermonkey?
-Captcha?
-Flash? Anyone?
-Two factor?

I need to take this for a spin. Multiple threads, authentication, log out detection, URL aliasing, transparent proxies, load balancers, and thread management are either not mentioned or are *way* too glossed over in the presentation. These are things people think are easy that become Hard Problems(tm) when scaling to enterprise environments.

If you are fingerprinting with HTTPrint you have a lot to learn.

The nod to client-side static analysis of code was nice and sounded very familiar... [looks at open Visual Studio currently in debugging]... very familiar indeed...

Keep your eye on this project.


 
 
Powered By Industrial Memetics