Posts by Andres Riancho

4 min Release Notes

Nexpose Reaches OWASP Top10 Coverage

Rapid7 is proud to announce that Nexpose's 5.1 web application scanning capabilities can now detect all types of vulnerabilities in OWASP's Top10 [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]! We've completed this task with the addition of two new vulnerability checks, A5: Cross-Site Request Forgery (CSRF) [https://www.owasp.org/index.php/Top_10_2010-A5] and A8: Failure to Restrict URL Access [https://www.owasp.org/index.php/Top_10_2010-A8] . The next paragraphs will describe

1 min Release Notes

New w3af release! (1.1)

Today we're releasing w3af's 1.1 version which includes the following changes: * Considerably increased performance by implementing gzip encoding * Enhanced embedded bug report system using Trac's XMLRPC * Fixed hundreds of bugs * Fixed critical bug in auto-update feature * Enhanced integration with other tools (bug fixed and added more info to the file) And of course many others that were not included for the sake of brevity. As usual, you can download the latest version from ht

1 min Application Security

Rapid7 at OWASP AppSec US

OWASP's biggest show is just around the corner! This year's OWASP AppSec USA [http://www.appsecusa.org/] will be held in Minneapolis and Rapid7 is all in. We're sponsoring the show and I'm going to be participating as a speaker [http://www.appsecusa.org/talks.html#wasp] and will be showing w3af tips and tricks at the Open Source Showcase [http://www.appsecusa.org/oss.html] arena. If you haven't heard about Web Application Security Payloads yet, this will be your chance to learn about this new t

2 min Application Security

w3af: winning the fight against encodings!

The Web is not only written in ASCII [http://es.wikipedia.org/wiki/ASCII]. Most of us in the western hemisphere are used to reading different languages which, except from a couple of letters like ñ and ç, can be represented with ASCII [http://es.wikipedia.org/wiki/ASCII] (see also: man ascii) but the world has more to offer with Cyrillic, Chinese, Greek, Arabic and thousands more languages with their own special encodings. With the latest changes we've been working on together with Javier Andal

2 min Nexpose

Detecting LDAP injections

It all started to go wrong when Web applications started to replace internal desktop applications in many companies around the globe and one manager proposed: "We should authenticate access to this application using our Active Directory!" and after some minutes a developer wrote a piece of code that looked like: String ldap_search_query = "(&(user=" username ")(password=" pwd "))"; LDAPCursor ldap_result_cursor = ldapQuery( ldap_search_query ); The idea of having a centralized location for

3 min Nexpose

w3af and NeXpose's web application security scanner

Little has been said about how w3af is really helping NeXpose's web application security scanner become the best in class; and even less has been said about how NeXpose is helping w3af; so I thought about writing this short blog post and tell you all about it using a short story: The never-ending fight against memory usage When I started to work with NeXpose, it was clear that a lot of thought had been put into making the web application scanner have the lowest memory footprint possible. If you

3 min Open Source

Being Agile within an Open Source project

When I started to work at Rapid7 almost a year and a half ago, one of the first things I thought about was: "How can w3af benefit from all the methodologies, tools and ideas that Rapid7 uses to create NeXpose?", and without using too many brain cycles it was clear that Agile development methodologies (and more specifically SCRUM) was one of those great things. During the first months as a Rapid7 employee it was very difficult for me to spend any time developing for w3af, and the hiring of our P

2 min Release Notes

w3af - And now, with a stable core

Since our latest w3af release in mid January [/2011/01/19/w3af-10-rc5-better-stronger-faster], and our new windows installer release a couple of months ago, we've got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we're here! In this latest release, we bring y