Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[TOOL] w3af - Web Application Attack and Audit Framework
From: "Andres Riancho" <andres.riancho () gmail com>
Date: Sun, 10 Jun 2007 15:20:29 -0300

List,

    I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

   Audit
         - SQL injection detection
         - XSS detection
         - SSI detection
         - Local file include detection
         - Remote file include detection
         - Buffer Overflow detection
         - Format String bugs detection
         - OS Commanding detection
         - Response Splitting detection
         - LDAP Injection detection
         - Basic Authentication bruteforce
         - File upload inside webrot
         - htaccess LIMIT misconfiguration
         - SSL certificate validation
         - XPATH injection detection
         - unSSL (HTTPS documents can be fetched using HTTP)
         - dav

    Discovery
         - Pykto, a nikto port to python
         - Hmap, http fingerprinting.
         - fingerGoogle, finds valid user accounts in google.
         - googleSpider, a spider that uses google.
         - webSpider, a classic web spider.
         - robotsReader
         - urlFuzzer
         - serverHeader, fetches server header
         - allowedMethods, gets a list of allowed HTTP methods.
         - crossDomain, get and parse the flash file crossdomain.xml
         - error404page, generate a regular expression to match 404 pages.
         - sitemapReader, read googles sitemap.xml and parse it.
         - spiderMan, using a localproxy and a human, find new URLs
for auditing.
         - webDiff, find differences between a local and a remote directory.
         - wsdlFinder, find and parse WSDL and DISCO files.

    Grep
         - collectCookies
         - directoryIndexing
         - findComments
         - pathDisclosure
         - strangeHeaders
         - grep for pages using ajax and report them
         - domXss, find DOM cross site scripting vulnerabilities.
         - errorPages, search for eror pages that are too descriptive.
         - fileUpload, find forms with file upload capabilities.
         - getMails
         - http authentication detection
         - objects detection
         - privateIP disclosure detection
         - wsdlGreper, greps every page searching for WSDL documents.

    Output
         - console
         - htmlFile
         - textFile

    Mangle
         - sed, a stream editor for HTTP requests and responses.

    Evasion
         - reversedSlashes
         - rndCase
         - rndHexEncode
         - rndParam
         - rndPath
         - selfReference

    Attack
         - davShell
         - fileUploadShell
         - googleProxy
         - localFileReader
         - mysqlWebShell
         - osCommandingShell
         - remoteFileIncludeShell
         - rfiProxy
         - sqlmap
         - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

Cheers,

-- 
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [TOOL] w3af - Web Application Attack and Audit Framework Andres Riancho (Jun 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault