w3af - Web Application Attack and Audit Framework beta 6 released

In: Application Scanner , Framework , Vulnerability Scanner , w3af

12 April 2008

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Beta6 introduces some new features like the GTK user interface, new plugins and A LOT of bug fixes

Known features :

Audit

SQL injection detection
XSS detection
SSI detection
Local file include detection
Remote file include detection
Buffer Overflow detection
Format String bugs detection
OS Commanding detection
Response Splitting detection
LDAP Injection detection
Basic Authentication bruteforce
File upload inside webrot
htaccess LIMIT misconfiguration
SSL certificate validation
XPATH injection detection
unSSL (HTTPS documents can be fetched using HTTP)
dav

Discovery

Pykto, a nikto port to python
Hmap, http fingerprinting.
fingerGoogle, finds valid user accounts in google.
googleSpider, a spider that uses google.
webSpider, a classic web spider.
robotsReader
urlFuzzer
serverHeader, fetches server header
allowedMethods, gets a list of allowed HTTP methods.
crossDomain, get and parse the flash file crossdomain.xml
error404page, generate a regular expression to match 404 pages.
sitemapReader, read googles sitemap.xml and parse it.
spiderMan, using a localproxy and a human, find new URLs for auditing.
webDiff, find differences between a local and a remote directory.
wsdlFinder, find and parse WSDL and DISCO files

Grep

collectCookies
directoryIndexing
findComments
pathDisclosure
strangeHeaders
grep for pages using ajax and report them
domXss, find DOM cross site scripting vulnerabilities.
errorPages, search for eror pages that are too descriptive.
fileUpload, find forms with file upload capabilities.
getMails
http authentication detection
objects detection
privateIP disclosure detection
wsdlGreper, greps every page searching for WSDL documents.

Output

console
htmlFile
textFile

Mangle

sed, a stream editor for HTTP requests and responses.

Evasion

reversedSlashes
rndCase
rndHexEncode
rndParam
rndPath
selfReference

Attack

davShell
fileUploadShell
googleProxy
localFileReader
mysqlWebShell
osCommandingShell
remoteFileIncludeShell
rfiProxy
sqlmap
xssBeef

Post scriptum

Download

Compliance Mandates

Application Scanner :
PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2
Vulnerability Scanner :
PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2

Application Scanner	10 May 2010 : SQLNinja v0.2.5 released! 1 May 2010 : WhatWeb just updated to v0.4.2 29 April 2010 : WhatWeb v0.4.1 - released 28 April 2010 : NSIA (Network System Integrity Analysis) v0.8.99 released 26 April 2010 : Acunetix WVS v6.5 build 20100419 released
Framework	12 April 2010 : Windows Autopwn (winAUTOPWN) v2.2 released 31 March 2010 : W3AF v1.0-rc3 released 29 March 2010 : Vicnum v1.4 released 28 March 2010 : Zenamics released BinCrowd the First collaborative reverse engineering tool 27 March 2010 : OWASP Broken Web Applications v0.91rc1 available
Vulnerability Scanner	12 May 2010 : Complemento v0.7.6 - Collection of Tools 22 April 2010 : OpenSCAP v0.5.9 released 20 April 2010 : Sandcat v4.0 released 15 April 2010 : Nessus v4.2.2 released 9 April 2010 : SARA-7.9.2a the final version released
w3af	18 March 2010 : W3AF ported to FreeBSD 28 February 2009 : W3af v1.0-rc1 released 7 October 2008 : W3af Framework beta7 released 3 June 2008 : w3af r1243 : The Windows version released 12 April 2008 : w3af - Web Application Attack and Audit Framework beta 6 released