[Openvas-discuss] Q&A something about w3af in openvas
Stefan.Schwarz at unibw.de
Fri Nov 25 11:39:28 CET 2011
Am 25.11.2011 11:03, schrieb Jan-Oliver Wagner:
> On Thursday, 24. November 2011, 孙松柏 wrote:
>> I use w3af in openvas . the w3af OID which wrapped in openvas is
>> I made w3af_console as a environment variable. so i think openvas can find
>> it .
>> but after a scan test .
>> I can not see any w3af scan result by search OID
>> why it doesn't work ?
> hard to tell without details. Maybe it even worked but you don't see it.
> First, it is helpful to know which OpenVAS you are using.
> Then, which Scan Config. Are other scans working OK?
> And so on ;-)
If you enabled w3af you should also have "w3af" in the search path
(should be by default when installing as a package).
Have a look at the report-sections with severity low and/or log, you
should see something like:
NVT: w3af (NASL wrapper) (OID: 188.8.131.52.4.1.256184.108.40.206109)
Here is the w3af report:
[ Fri Nov 25 08:56:02 2011 - information ] Auto-enabling plugin:
[ Fri Nov 25 08:56:02 2011 - Enabled plugins ] plugins
[ Fri Nov 25 08:56:02 2011 - Enabled plugins ] audit sqli, xss
Unfortunately there seems to be a problem connecting to console.
[ Sun Nov 20 10:17:47 2011 - information ] Finished scanning process.
[ Sun Nov 20 10:17:47 2011 - console ] termios error: (25,
'Inappropriate ioctl for device↵
which make w3af currently unusable (tested on actual SVN and GSA)
But i'm not sure if using w3af within openvas really would be useful.
w3af is a powerful web application scanning framework and needs some
time for a reliable scan, definitely too much for openvas especially
when scanning multiple hosts.
I'm using openvas for a first shot and run w3af manually on suspicious
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6299 bytes
Desc: S/MIME Cryptographic Signature
More information about the Openvas-discuss