The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much

Finally it’s out of BETA and RC and there’s now a stable core for the codebase.

New in v1.1

• Considerably increased performance by implementing gzip encoding
• Enhanced embedded bug report system using Trac’s XMLRPC
• Fixed hundreds of bugs
• Fixed critical bug in auto-update feature
• Enhanced integration with other tools (bug fixed and addedmore info to the file)

You can download w3af v1.1 here:

w3af-1.1.tar.bz2

Or you can read more here.

Netsparker is a Web Application Security Scanner that claims to be False-Positive Free. The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner? So they developed a new technology which can confirm vulnerabilities on demand which allowed us to develop the first false positive free web application security scanner.

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

You can download Netsparker – Community Edition here:

NetSparkerCommunityEditionSetup.exe

Or read more here.

As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

• Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
• w3afAgent, a reverse VPN that allows you to route packets through the compromised server
• Good samaritan, a module that allows you to exploit blind sql injections much faster
• 20+ new plugins
• A lot of bug fixes
• A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:

w3afUsersGuide.pdf

The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.

w3af-T2.pdf

You can download w3af here:

w3af BETA5

Or read more here.

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

• SQL injection detection
• XSS detection
• SSI detection
• Local file include detection
• Remote file include detection
• Buffer Overflow detection
• Format String bugs detection
• OS Commanding detection
• Response Splitting detection
• LDAP Injection detection
• Basic Authentication bruteforce
• File upload inside webroot
• htaccess LIMIT misconfiguration
• SSL certificate validation
• XPATH injection detection
• unSSL (HTTPS documents can be fetched using HTTP)

Discovery

• Pykto, a nikto port to python
• Hmap, http fingerprinting.
• fingerGoogle, finds valid user accounts in google.
• googleSpider, a spider that uses google.
• webSpider, a classic web spider.
• robotsReader
• urlFuzzer
• serverHeader, fetches server header
• allowedMethods, gets a list of allowed HTTP methods.
• crossDomain, get and parse the flash file crossdomain.xml
• error404page, generate a regular expression to match 404 pages.
• sitemapReader, read googles sitemap.xml and parse it.
• spiderMan, using a localproxy and a human, find new URLs for auditing.
• webDiff, find differences between a local and a remote directory.
• wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.