w3af – Web Application Attack and Audit Framework

[ad]

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

• SQL injection detection
• XSS detection
• SSI detection
• Local file include detection
• Remote file include detection
• Buffer Overflow detection
• Format String bugs detection
• OS Commanding detection
• Response Splitting detection
• LDAP Injection detection
• Basic Authentication bruteforce
• File upload inside webroot
• htaccess LIMIT misconfiguration
• SSL certificate validation
• XPATH injection detection
• unSSL (HTTPS documents can be fetched using HTTP)

Discovery

• Pykto, a nikto port to python
• Hmap, http fingerprinting.
• fingerGoogle, finds valid user accounts in google.
• googleSpider, a spider that uses google.
• webSpider, a classic web spider.
• robotsReader
• urlFuzzer
• serverHeader, fetches server header
• allowedMethods, gets a list of allowed HTTP methods.
• crossDomain, get and parse the flash file crossdomain.xml
• error404page, generate a regular expression to match 404 pages.
• sitemapReader, read googles sitemap.xml and parse it.
• spiderMan, using a localproxy and a human, find new URLs for auditing.
• webDiff, find differences between a local and a remote directory.
• wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.