w3af – Web Application Attack and Audit Framework

Su segnalazione di dberga di qualche giorno fa, posto il link al sito di questo tool abbastanza recente (la beta4 è stata rilasciata il 10 giugno) dedicato al web penetration testing e auditing.

Ecco il testo dell’annuncio dato da Andres Riancho l’autore del framework sulle principali mailing-list dedicate alla sicurezza:

I’m glad to present w3af ( Web Application Attack and Audit Framework ) , a fully automated auditing and exploiting framework for the web. This framework has been developed for almost a year and has the following features:

Audit
– SQL injection detection
– XSS detection
– SSI detection
– Local file include detection
– Remote file include detection
– Buffer Overflow detection
– Format String bugs detection
– OS Commanding detection
– Response Splitting detection
– LDAP Injection detection
– Basic Authentication bruteforce
– File upload inside webrot
– htaccess LIMIT misconfiguration
– SSL certificate validation
– XPATH injection detection
– unSSL (HTTPS documents can be fetched using HTTP)
– dav

Discovery
– Pykto, a nikto port to python
– Hmap, http fingerprinting.
– fingerGoogle, finds valid user accounts in google.
– googleSpider, a spider that uses google.
– webSpider, a classic web spider.
– robotsReader
– urlFuzzer
– serverHeader, fetches server header
– allowedMethods, gets a list of allowed HTTP methods.
– crossDomain, get and parse the flash file crossdomain.xml
– error404page, generate a regular expression to match 404 pages.
– sitemapReader, read googles sitemap.xml and parse it.
– spiderMan, using a localproxy and a human, find new URLs for auditing.
– webDiff, find differences between a local and a remote directory.
– wsdlFinder, find and parse WSDL and DISCO files.

Grep
– collectCookies
– directoryIndexing
– findComments
– pathDisclosure
– strangeHeaders
– grep for pages using ajax and report them
– domXss, find DOM cross site scripting vulnerabilities.
– errorPages, search for eror pages that are too descriptive.
– fileUpload, find forms with file upload capabilities.
– getMails
– http authentication detection
– objects detection
– privateIP disclosure detection
– wsdlGreper, greps every page searching for WSDL documents.

Output
– console
– htmlFile
– textFile

Mangle
– sed, a stream editor for HTTP requests and responses.

Evasion
– reversedSlashes
– rndCase
– rndHexEncode
– rndParam
– rndPath
– selfReference

Attack
– davShell
– fileUploadShell
– googleProxy
– localFileReader
– mysqlWebShell
– osCommandingShell
– remoteFileIncludeShell
– rfiProxy
– sqlmap
– xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

One thought on “w3af – Web Application Attack and Audit Framework

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *