w3af – Web Application Attack and Audit Framework

Use Netsparker


A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

  • SQL injection detection
  • XSS detection
  • SSI detection
  • Local file include detection
  • Remote file include detection
  • Buffer Overflow detection
  • Format String bugs detection
  • OS Commanding detection
  • Response Splitting detection
  • LDAP Injection detection
  • Basic Authentication bruteforce
  • File upload inside webroot
  • htaccess LIMIT misconfiguration
  • SSL certificate validation
  • XPATH injection detection
  • unSSL (HTTPS documents can be fetched using HTTP)

Discovery

  • Pykto, a nikto port to python
  • Hmap, http fingerprinting.
  • fingerGoogle, finds valid user accounts in google.
  • googleSpider, a spider that uses google.
  • webSpider, a classic web spider.
  • robotsReader
  • urlFuzzer
  • serverHeader, fetches server header
  • allowedMethods, gets a list of allowed HTTP methods.
  • crossDomain, get and parse the flash file crossdomain.xml
  • error404page, generate a regular expression to match 404 pages.
  • sitemapReader, read googles sitemap.xml and parse it.
  • spiderMan, using a localproxy and a human, find new URLs for auditing.
  • webDiff, find differences between a local and a remote directory.
  • wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

, , , , , , ,


Latest Posts:


dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.


2 Responses to w3af – Web Application Attack and Audit Framework

  1. TheRealDonQuixote August 22, 2007 at 11:42 am #

    So far its been easy to install all the libs in Kubuntu. I like all the toys, and I haven’t hit a bug yet!! This might be a bit too easy…

    I wonder when they are going to get out of beta?

  2. Sandeep Nain August 31, 2007 at 2:03 am #

    Wowwww…

    This is a big step in web application security field.. Its gonna make the life of pen testers very easy.

    I’m gonna try this for sure..