ARTICLE

w3af - Web Application Attack and Audit Framework beta 6 released

Saturday 12 April 2008

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Beta6 introduces some new features like the GTK user interface, new plugins and A LOT of bug fixes

Known features :

Audit
- SQL injection detection
- XSS detection
- SSI detection
- Local file include detection
- Remote file include detection
- Buffer Overflow detection
- Format String bugs detection
- OS Commanding detection
- Response Splitting detection
- LDAP Injection detection
- Basic Authentication bruteforce
- File upload inside webrot
- htaccess LIMIT misconfiguration
- SSL certificate validation
- XPATH injection detection
- unSSL (HTTPS documents can be fetched using HTTP)
- dav

Discovery
- Pykto, a nikto port to python
- Hmap, http fingerprinting.
- fingerGoogle, finds valid user accounts in google.
- googleSpider, a spider that uses google.
- webSpider, a classic web spider.
- robotsReader
- urlFuzzer
- serverHeader, fetches server header
- allowedMethods, gets a list of allowed HTTP methods.
- crossDomain, get and parse the flash file crossdomain.xml
- error404page, generate a regular expression to match 404 pages.
- sitemapReader, read googles sitemap.xml and parse it.
- spiderMan, using a localproxy and a human, find new URLs for auditing.
- webDiff, find differences between a local and a remote directory.
- wsdlFinder, find and parse WSDL and DISCO files

Grep
- collectCookies
- directoryIndexing
- findComments
- pathDisclosure
- strangeHeaders
- grep for pages using ajax and report them
- domXss, find DOM cross site scripting vulnerabilities.
- errorPages, search for eror pages that are too descriptive.
- fileUpload, find forms with file upload capabilities.
- getMails
- http authentication detection
- objects detection
- privateIP disclosure detection
- wsdlGreper, greps every page searching for WSDL documents.

Output
- console
- htmlFile
- textFile

Mangle
- sed, a stream editor for HTTP requests and responses.

Evasion
- reversedSlashes
- rndCase
- rndHexEncode
- rndParam
- rndPath
- selfReference

Attack
- davShell
- fileUploadShell
- googleProxy
- localFileReader
- mysqlWebShell
- osCommandingShell
- remoteFileIncludeShell
- rfiProxy
- sqlmap
- xssBeef


POSTSCRIPTUM

Download


RELATED ARTICLES

Application Scanner, Framework, Vulnerability Scanner, w3af,

7 October 2008 : W3af Framework beta7 released
3 June 2008 : w3af r1243 : The Windows version released
12 April 2008 : w3af - Web Application Attack and Audit Framework beta 6 released
24 October 2007 : W3AF Application auditing framework Beta 5 released
13 June 2007 : W3af Framework for Web Application Auditing.