Caleb and I joke that the conference talk we most want to give, but (for various legal reasons) will never be able to give, is how to write a modern web scanner. This architecture looks a lot like what we would discuss. But, as always, there are things that are essential that it fails to address (so far) -Manual JavaScript? Can a brother get some Spidermonkey? -Captcha? -Flash? Anyone? -Two factor? I need to take this for a spin. Multiple threads, authentication, log out detection, URL aliasing, transparent proxies, load balancers, and thread management are either not mentioned or are *way* too glossed over in the presentation. These are things people think are easy that become Hard Problems(tm) when scaling to enterprise environments. If you are fingerprinting with HTTPrint you have a lot to learn. The nod to client-side static analysis of code was nice and sounded very familiar... [looks at open Visual Studio currently in debugging]... very familiar indeed... Keep your eye on this project. |