W3AF Application auditing framework Beta 5 released

W3af is a fully automated auditing and exploiting framework for the web. It is based upon plugins integration using known GPL tools as well as pytko, Hmap and google utilities .... W3af is written in Python.

Known features :

Audit

  • SQL injection detection
  • XSS detection
  • SSI detection
  • Local file include detection
  • Remote file include detection
  • Buffer Overflow detection
  • Format String bugs detection
  • OS Commanding detection
  • Response Splitting detection
  • LDAP Injection detection
  • Basic Authentication bruteforce
  • File upload inside webrot
  • htaccess LIMIT misconfiguration
  • SSL certificate validation
  • XPATH injection detection
  • unSSL (HTTPS documents can be fetched using HTTP)
  • dav

Discovery

  • Pykto, a nikto port to python
  • Hmap, http fingerprinting.
  • fingerGoogle, finds valid user accounts in google.
  • googleSpider, a spider that uses google.
  • webSpider, a classic web spider.
  • robotsReader
  • urlFuzzer
  • serverHeader, fetches server header
  • allowedMethods, gets a list of allowed HTTP methods.
  • crossDomain, get and parse the flash file crossdomain.xml
  • error404page, generate a regular expression to match 404 pages.
  • sitemapReader, read googles sitemap.xml and parse it.
  • spiderMan, using a localproxy and a human, find new URLs for auditing.
  • webDiff, find differences between a local and a remote directory.
  • wsdlFinder, find and parse WSDL and DISCO files

Grep

  • collectCookies
  • directoryIndexing
  • findComments
  • pathDisclosure
  • strangeHeaders
  • grep for pages using ajax and report them
  • domXss, find DOM cross site scripting vulnerabilities.
  • errorPages, search for eror pages that are too descriptive.
  • fileUpload, find forms with file upload capabilities.
  • getMails
  • http authentication detection
  • objects detection
  • privateIP disclosure detection
  • wsdlGreper, greps every page searching for WSDL documents.

Output

  • console
  • htmlFile
  • textFile

Mangle

  • sed, a stream editor for HTTP requests and responses.

Evasion

  • reversedSlashes
  • rndCase
  • rndHexEncode
  • rndParam
  • rndPath
  • selfReference

Attack

  • davShell
  • fileUploadShell
  • googleProxy
  • localFileReader
  • mysqlWebShell
  • osCommandingShell
  • remoteFileIncludeShell
  • rfiProxy
  • sqlmap
  • xssBeef

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Application Scanner
Framework
Vulnerability Scanner
w3af