Penetration testing –
W3AF Tool
Pinzariu Marian – MISS 2
George Blendea – MISS 2
W3AF – About
• W3AF = Web Application Attack and Audit Framework
• Started in 2006 as an Open Source Project
• Licensed under GPLv2.0
• Entirely written using Python
• Recently the adopted development process was TDD
(Test Driven Development)
W3AF – Objectives
• Create the biggest community of Web Application
Hackers
• Become the best Open Source Web Application Scanner
• Become the best Web Application Exploitation
Framework
• Combine static code analysis and black box testing into
one framework
W3AF – Extensible with Plugins
W3AF – Vulnerability Detection (Over 200)
• SQL Injection
• Cross Site Scripting/Cross-Site Request Forgery
• DOM XSS
• Buffer Overflow
• Brute Force Authentication
• Click Jacking
• Cross Domain
• Command Injection
• XPath Injection
• … and so on
W3AF – Supported Platforms
• All Python supported platforms
• Has been tested in various Linux Distributions, Mac OSX,
FreeBSD and OpenBSD
• Windows compatible, but not officially supported
W3AF – Ranking on sectools.org
• From 125 tools
W3AF – Installation
W3AF Usage – Find XSS and SQL injections
• 1) Set Target URL
W3AF Usage – Find XSS and SQL injections
• 2) Activate plugins for vulnerabilities that we
want to detect
W3AF Usage – Find XSS and SQL injections
• 3) Save current settings (Optional)
W3AF Usage – Find XSS and SQL injections
• 4) Click “Play” and explore the results
USE CASE 1 – FULL AUDIT
• Contains scans for a number of vulnerabilities
•
Xss, sqli, csrf, brute force
USE CASE 1 – FULL AUDIT
• Results are offered in tree view after scan is completed
USE CASE 1 – FULL AUDIT
• Request and location is indicated
alongside the tree view
USE CASE 1 – FULL AUDIT
• The w3af UI also returns an URL
map on scan completion
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE
• The console interface is straightforward
• For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled
• Auth plugins can also be enabled for a deeper scan
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE
• Once the target is set we can run
the scan
W3AF – Comparison with other tools
• W3AF, Wapiti, Arachni, Websecurify, JSky
W3AF – Comparison with other tools
W3AF – Comparison with other tools
W3AF – Comparison with other tools
• 3/4
W3AF – Comparison with other tools
• Place 5/5
W3AF – Advantages/Disadvantages
• Advantage: very modular and flexible (python plugins are
easy to integrate)
• Disadvantage: not mature enough (number of false
negatives is still high - 2011)
Thank you for your time!
Download

W3AF – Comparison with other tools