Embed Size (px)
Citation preview
Penetration testing – W3AF
ToolPinzariu Marian – MISS 2
George Blendea – MISS 2
W3AF – About
•W3AF = Web Application Attack and Audit Framework• Started in 2006 as an Open Source Project• Licensed under GPLv2.0• Entirely written using Python• Recently the adopted development process was TDD
(Test Driven Development)
W3AF – Objectives
• Create the biggest community of Web Application Hackers• Become the best Open Source Web Application Scanner• Become the best Web Application Exploitation
Framework• Combine static code analysis and black box testing into
one framework
W3AF – Extensible with Plugins
W3AF – Vulnerability Detection (Over 200)
• SQL Injection• Cross Site Scripting/Cross-Site Request Forgery• DOM XSS• Buffer Overflow• Brute Force Authentication• Click Jacking• Cross Domain• Command Injection• XPath Injection•… and so on
W3AF – Supported Platforms
• All Python supported platforms• Has been tested in various Linux Distributions, Mac OSX,
FreeBSD and OpenBSD•Windows compatible, but not officially supported
W3AF – Ranking on sectools.org
• From 125 tools
W3AF – Installation
W3AF Usage – Find XSS and SQL injections• 1) Set Target URL
• 2) Activate plugins for vulnerabilities that we want to detect
W3AF Usage – Find XSS and SQL injections
• 3) Save current settings (Optional)
W3AF Usage – Find XSS and SQL injections
• 4) Click “Play” and explore the results
W3AF Usage – Find XSS and SQL injections
USE CASE 1 – FULL AUDIT
• Contains scans for a number of vulnerabilities
• Xss, sqli, csrf, brute force
USE CASE 1 – FULL AUDIT
• Results are offered in tree view after scan is completed
USE CASE 1 – FULL AUDIT
• Request and location is indicated
alongside the tree view
USE CASE 1 – FULL AUDIT
• The w3af UI also returns an URL
map on scan completion
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE• The console interface is straightforward
• For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled
• Auth plugins can also be enabled for a deeper scan
USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE
• Once the target is set we can run
the scan
W3AF – Comparison with other tools
•W3AF, Wapiti, Arachni, Websecurify, JSky
W3AF – Comparison with other tools
W3AF – Comparison with other tools
W3AF – Comparison with other tools
• 3/4
W3AF – Comparison with other tools
• Place 5/5
W3AF – Advantages/Disadvantages
• Advantage: very modular and flexible (python plugins are easy to integrate)
• Disadvantage: not mature enough (number of false negatives is still high - 2011)
Thank you for your time!
