A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:
- SQL injection detection
- XSS detection
- SSI detection
- Local file include detection
- Remote file include detection
- Buffer Overflow detection
- Format String bugs detection
- OS Commanding detection
- Response Splitting detection
- LDAP Injection detection
- Basic Authentication bruteforce
- File upload inside webroot
- htaccess LIMIT misconfiguration
- SSL certificate validation
- XPATH injection detection
- unSSL (HTTPS documents can be fetched using HTTP)
- Pykto, a nikto port to python
- Hmap, http fingerprinting.
- fingerGoogle, finds valid user accounts in google.
- googleSpider, a spider that uses google.
- webSpider, a classic web spider.
- serverHeader, fetches server header
- allowedMethods, gets a list of allowed HTTP methods.
- crossDomain, get and parse the flash file crossdomain.xml
- error404page, generate a regular expression to match 404 pages.
- sitemapReader, read googles sitemap.xml and parse it.
- spiderMan, using a localproxy and a human, find new URLs for auditing.
- webDiff, find differences between a local and a remote directory.
- wsdlFinder, find and parse WSDL and DISCO files.
The framework is extended using plug-ins and is completely written in Python.
You can download w3af here:
Or read more here.
- Navy Sys Admin Hacks Into Databases From Aircraft Carrier
- aidSQL – PHP Application For SQL Injection Detection & Exploitation
- 1 Million Accounts Leaked From Banks, Government Agencies & Consultancy Firms
- w3af Fifth BETA for Download – Automated Web Auditing and Exploitation Framework
- w3af 1.0-rc3 Available For Download – Web Application Attack & Audit Framework
- w3af v1.1 Released For Download – Web Application Attack & Audit Framework
Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 69,570 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 53,700 views
- Absinthe Blind SQL Injection Tool/Software - 38,876 views