Merge branch 'release/1.6.45'

andresriancho · Feb 26, 2015 · b7cffaa · b7cffaa
2 parents e4d4d84 + 080c4f0
commit b7cffaa
Show file tree

Hide file tree

Showing 698 changed files with 34,682 additions and 2,596,864 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 *.py[cod]
 *.py~
 *~
+*.swp
 
 # C extensions
 *.so
@@ -28,6 +29,7 @@ pip-log.txt
 .tox
 nosetests.xml
 .noseids
+noseids.pickle
 nose.cfg
 
 # Translations
@@ -49,10 +51,25 @@ output.txt
 # This is generated by the setup_moth.py script
 django-moth
 
+# Debugging circleci high memory usage
+memory-usage.txt
+
 # Ignore sphinx builds
 doc/sphinx/_build/
 
-
+# 404 test stuff
 data.shelve
 top-1m.csv
 top-1m.csv.zip
+
+# docker build temp files
+.dockerignore
+Dockerfile
+
+# To make testing easier
+test.w3af
+output-w3af.txt
+
+# Ignore intermediate XML file
+w3af/plugins/crawl/phishtank/index.xml
+
diff --git a/circle.yml b/circle.yml
@@ -4,6 +4,46 @@
 #
 #   As a user you don't need to understand this file.
 #
+machine:
+  services:
+    - docker
+
+  python:
+    version: 2.7.3
+
+  # This is required to run WIVET
+  php:
+    version: 5.5.11
+
+  java:
+    version: oraclejdk7
+
+  post:
+    # This was required to avoid issues with different builds of python being
+    # used between the gtk libs installed in /usr/lib/python2.7/dist-packages/
+    # and the python which was put inside my virtualenv
+    - pyenv global system
+
+    # And we want to start the django-moth server
+    # https://circleci.com/docs/background-process
+    - nohup bash -c "python w3af/w3af/core/controllers/ci/setup_moth.py &" > $CIRCLE_ARTIFACTS/setup-moth-nohup.log
+
+
+checkout:
+  post:
+    # Since the auto_update feature needs the git repository history, we run
+    # this command which will retrieve it (since CircleCI doesn't for perf).
+    # In our case it is fine, and it will get cached.
+    - if [[ -e .git/shallow ]]; then git fetch --unshallow; fi
+
+    # Nasty hack: Because we get a new clone of the repo, timestamps don't
+    # correspond any more to when the file was last changed.
+    # To rectify this, first set everything to a timestamp in the past and then
+    # update the timestamp for all git-tracked files based on their last
+    # committed change.
+    - find . -exec touch -t 201401010000 {} \;
+    - for x in $(git ls-tree --full-tree --name-only -r HEAD); do touch -t $(date -d "$(git log -1 --format=%ci "${x}")" +%y%m%d%H%M.%S) "${x}"; done
+
 
 dependencies:
   cache_directories:
@@ -12,14 +52,17 @@ dependencies:
 
     # These are inside the w3af directory
     - "xpresser"
-    - "wivet-svn"
+    - "wivet"
     - "pico-wavsep"
     - "sqlmap-testenv"
     - "php-moth"
+
   pre:
-    - sudo apt-get update; sudo apt-get install python-gtksourceview2 python-gtk2 gir1.2-notify-0.7 python-pyatspi2 python-dbus python-pygame python-opencv python-scipy python-numpy stunnel4 libffi-dev
+    - sudo apt-get update
+    - sudo apt-get install python-gtksourceview2 python-gtk2 gir1.2-notify-0.7 python-pyatspi2 python-dbus python-pygame python-opencv python-scipy python-numpy stunnel4 libffi-dev
 
     # Install the core/console dependencies
+    - pip install --upgrade pip
     - w3af/core/controllers/ci/install_scripts/install_core_dependencies.sh
 
     # Install GUI dependencies
@@ -51,37 +94,18 @@ dependencies:
         background: true
         pwd: pico-wavsep
 
+    # Save docker hub credentials to file
+    - sed "s/<EMAIL>/$DOCKER_EMAIL/;s/<AUTH>/$DOCKER_AUTH/" < extras/docker/dockercfg.template > ~/.dockercfg
+
     # Wait for the daemon to be available to run the tests
     - w3af/core/controllers/ci/wait_for_moth.py
 
-machine:
-  python:
-    version: 2.7.3
-
-  # This is required to run WIVET
-  php:
-    version: 5.5.11
+  post:
+    - pip --version
+    - pip freeze
 
-  java:
-    version: oraclejdk7
 
-  post:
-    # This was required to avoid issues with different builds of python being
-    # used between the gtk libs installed in /usr/lib/python2.7/dist-packages/
-    # and the python which was put inside my virtualenv
-    - pyenv global system
-
-    # And we want to start the django-moth server
-    # https://circleci.com/docs/background-process
-    - nohup bash -c "python w3af/w3af/core/controllers/ci/setup_moth.py &" > $CIRCLE_ARTIFACTS/setup-moth-nohup.log
-
 test:
-  pre:
-    # Since the auto_update feature needs the git repository history, we run
-    # this command which will retrieve it (since CircleCI doesn't for perf).
-    # In our case it is fine, and it will get cached.
-    - if [[ -e .git/shallow ]]; then git fetch --unshallow; fi
-
   override:
     - w3af/core/controllers/ci/nosetests_wrapper/main.py:
         timeout: 360
@@ -101,6 +125,9 @@ deployment:
       # Note the master in the URLs
       - "curl --header 'Content-Type: application/json' --request POST https://circleci.com/api/v1/project/andresriancho/w3af-module/tree/master?circle-token=$W3AF_MODULE_TOKEN"
 
+      - docker pull andresriancho/w3af:stable; true
+      - cd extras/docker/ && ./docker-build.sh stable
+      - docker push andresriancho/w3af:stable
 
   staging:
     branch: develop
@@ -109,3 +136,6 @@ deployment:
       # Note the develop in the URLs
       - "curl --header 'Content-Type: application/json' --request POST https://circleci.com/api/v1/project/andresriancho/w3af-module/tree/develop?circle-token=$W3AF_MODULE_TOKEN"
 
+      - docker pull andresriancho/w3af:unstable; true
+      - cd extras/docker/ && ./docker-build.sh unstable
+      - docker push andresriancho/w3af:unstable
diff --git a/doc/CHANGELOG b/doc/CHANGELOG
@@ -1,3 +1,20 @@
+(26 Feb 2015)    Version 1.6.45
+===============================
+Github tag: https://github.com/andresriancho/w3af/tree/1.6.45
+Github milestone: https://github.com/andresriancho/w3af/issues?milestone=10
+
+* HTTP response parsers are now run in a different process
+* Added support for SSL's SNI using OpenSSL
+* Added support for scanning servers with specific SSL protocols disabled (poodle)
+* Added new platforms to the dependency check
+* Updated sqlmap
+* Performance improvements in core classes
+* Improved profiling capabilities (internal use only)
+* Improved exception handling to catch more descriptive tracebacks
+* Added new plugins for web sockets and RFD
+* Better error handling for HTTP requests
+* Huge reducion of memory usage in phishtank plugin 
+
 (12 Jun 2014)    Version 1.6.0.3
 ================================
 Github tag: https://github.com/andresriancho/w3af/tree/1.6.0.3

diff --git a/doc/sphinx/advanced-exploitation.rst b/doc/sphinx/advanced-exploitation.rst
@@ -55,8 +55,8 @@ The following is a console dump from w3af scanning a vulnerable application, exp
     - [0] <shell object (rsystem: "*nix")>
     Please use the interact command to interact with the shell objects.
     w3af/exploit>>> interact 0
-    Execute "end_interaction" to get out of the remote shell. Commands typed in this menu will be
-    runned through the local_file_reader shell
+    Execute "end_interaction" to get out of the remote shell. Commands typed in this menu will 
+    run through the local_file_reader shell
     w3af/exploit/local_file_reader-0>>> payload list_processes
     ...
     PID   NAME   STATUS          CMD
@@ -129,7 +129,7 @@ Now that we know the theory, let's see an example of what this feature can do:
     Please use the interact command to interact with the shell objects.
     w3af/exploit>>> interact 0
     Execute "end_interaction" to get out of the remote shell.
-    Commands typed in this menu will be runned on the remote web server.
+    Commands typed in this menu will run on the remote web server.
     w3af/exploit/os_commanding-0>>>
 
 Nothing really new until now, we configured w3af, started the scan and exploited the vulnerability.

diff --git a/doc/sphinx/basic-ui.rst b/doc/sphinx/basic-ui.rst
@@ -94,7 +94,7 @@ Here is a usage example of these commands in the ``http-settings`` menu:
     w3af/config:http-settings>>> back
     w3af>>>
 
-To summarize, the ``view`` command is used to list all configurable parameters, with their values and a description. The ``set`` command is used to change a value. Finally we can execute ``back``, “.” or press CTRL+C to return to the previous menu. A detailed help for every configuration parameter can be obtained using ``help parameter`` as shown in this example:
+To summarize, the ``view`` command is used to list all configurable parameters, with their values and a description. The ``set`` command is used to change a value. Finally we can execute ``back`` or press CTRL+C to return to the previous menu. A detailed help for every configuration parameter can be obtained using ``help parameter`` as shown in this example:
 
 .. code-block:: none
 

diff --git a/doc/sphinx/exploitation.rst b/doc/sphinx/exploitation.rst
@@ -31,7 +31,7 @@ During the scan vulnerabilities are found and stored in specific locations of th
     Please use the interact command to interact with the shell objects.
     w3af/exploit>>> interact 0
     Execute "end_interaction" to get out of the remote shell.
-    Commands typed in this menu will be runned on the remote web server.
+    Commands typed in this menu will run on the remote web server.
     w3af/exploit/os_commanding-0>>> ls
     v.php
     v2.php