Penetration testing – W3AF Tool Pinzariu Marian – MISS 2 George Blendea – MISS 2

Penetration testing – W3AF

ToolPinzariu Marian – MISS 2

George Blendea – MISS 2

W3AF – About

•W3AF = Web Application Attack and Audit Framework• Started in 2006 as an Open Source Project• Licensed under GPLv2.0• Entirely written using Python• Recently the adopted development process was TDD

(Test Driven Development)

W3AF – Objectives

• Create the biggest community of Web Application Hackers• Become the best Open Source Web Application Scanner• Become the best Web Application Exploitation

Framework• Combine static code analysis and black box testing into

one framework

W3AF – Extensible with Plugins

W3AF – Vulnerability Detection (Over 200)

• SQL Injection• Cross Site Scripting/Cross-Site Request Forgery• DOM XSS• Buffer Overflow• Brute Force Authentication• Click Jacking• Cross Domain• Command Injection• XPath Injection•… and so on

W3AF – Supported Platforms

• All Python supported platforms• Has been tested in various Linux Distributions, Mac OSX,

FreeBSD and OpenBSD•Windows compatible, but not officially supported

W3AF – Ranking on sectools.org

• From 125 tools

W3AF – Installation

W3AF Usage – Find XSS and SQL injections• 1) Set Target URL

• 2) Activate plugins for vulnerabilities that we want to detect

W3AF Usage – Find XSS and SQL injections

• 3) Save current settings (Optional)

W3AF Usage – Find XSS and SQL injections

• 4) Click “Play” and explore the results

W3AF Usage – Find XSS and SQL injections

USE CASE 1 – FULL AUDIT

• Contains scans for a number of vulnerabilities

• Xss, sqli, csrf, brute force

USE CASE 1 – FULL AUDIT

• Results are offered in tree view after scan is completed

USE CASE 1 – FULL AUDIT

• Request and location is indicated

alongside the tree view

USE CASE 1 – FULL AUDIT

• The w3af UI also returns an URL

map on scan completion

USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE• The console interface is straightforward

• For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled

• Auth plugins can also be enabled for a deeper scan

USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE

• Once the target is set we can run

the scan

W3AF – Comparison with other tools

•W3AF, Wapiti, Arachni, Websecurify, JSky

W3AF – Comparison with other tools

W3AF – Comparison with other tools

W3AF – Comparison with other tools

• 3/4

W3AF – Comparison with other tools

• Place 5/5

W3AF – Advantages/Disadvantages

• Advantage: very modular and flexible (python plugins are easy to integrate)

• Disadvantage: not mature enough (number of false negatives is still high - 2011)

Thank you for your time!