Add to collection(s) Add to saved
  1. Science
  2. Physics
  3. Mechanics
  4. Force

W3AF – Comparison with other tools

advertisement 
Penetration testing –
W3AF Tool
Pinzariu Marian – MISS 2
George Blendea – MISS 2
W3AF – About
• W3AF = Web Application Attack and Audit Framework
• Started in 2006 as an Open Source Project
• Licensed under GPLv2.0
• Entirely written using Python
• Recently the adopted development process was TDD
(Test Driven Development)
W3AF – Objectives
• Create the biggest community of Web Application
Hackers
• Become the best Open Source Web Application Scanner
• Become the best Web Application Exploitation
Framework
• Combine static code analysis and black box testing into
one framework
W3AF – Extensible with Plugins
W3AF – Vulnerability Detection (Over 200)
• SQL Injection
• Cross Site Scripting/Cross-Site Request Forgery
• DOM XSS
• Buffer Overflow
• Brute Force Authentication
• Click Jacking
• Cross Domain
• Command Injection
• XPath Injection
• … and so on
W3AF – Supported Platforms
• All Python supported platforms
• Has been tested in various Linux Distributions, Mac OSX,
FreeBSD and OpenBSD
• Windows compatible, but not officially supported
W3AF – Ranking on sectools.org
• From 125 tools
W3AF – Installation
W3AF Usage – Find XSS and SQL injections
• 1) Set Target URL
W3AF Usage – Find XSS and SQL injections
• 2) Activate plugins for vulnerabilities that we
want to detect
W3AF Usage – Find XSS and SQL injections
• 3) Save current settings (Optional)
W3AF Usage – Find XSS and SQL injections
• 4) Click “Play” and explore the results
USE CASE 1 – FULL AUDIT
• Contains scans for a number of vulnerabilities
•
Xss, sqli, csrf, brute force
USE CASE 1 – FULL AUDIT
• Results are offered in tree view after scan is completed
USE CASE 1 – FULL AUDIT
• Request and location is indicated
alongside the tree view
USE CASE 1 – FULL AUDIT
• The w3af UI also returns an URL
map on scan completion
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE
• The console interface is straightforward
• For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled
• Auth plugins can also be enabled for a deeper scan
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE
• Once the target is set we can run
the scan
W3AF – Comparison with other tools
• W3AF, Wapiti, Arachni, Websecurify, JSky
W3AF – Comparison with other tools
W3AF – Comparison with other tools
W3AF – Comparison with other tools
• 3/4
W3AF – Comparison with other tools
• Place 5/5
W3AF – Advantages/Disadvantages
• Advantage: very modular and flexible (python plugins are
easy to integrate)
• Disadvantage: not mature enough (number of false
negatives is still high - 2011)
Thank you for your time!
Related documents
slides - Computer Science
slides - Computer Science
IA-IS-Relationship-Discussion_Grabski
IA-IS-Relationship-Discussion_Grabski
Top 10 Admin Mistakes on SQL Server
Top 10 Admin Mistakes on SQL Server
RESEARCH COMPLIANCE AUDITING
RESEARCH COMPLIANCE AUDITING
Internal Audit Workshop - USAID`s Power Distribution Program
Internal Audit Workshop - USAID`s Power Distribution Program
Introducing the - Chicago SQL BI User Group > Home
Introducing the - Chicago SQL BI User Group > Home
The Slides
The Slides
Injection Techniques Course : Subtenon, Intravitreal
Injection Techniques Course : Subtenon, Intravitreal
Auditing
Auditing
Proposal title - İstanbul Bilgi Üniversitesi
Proposal title - İstanbul Bilgi Üniversitesi
Download
advertisement