Full Disclosure mailing list archives
[TOOL] w3af - Web Application Attack and Audit Framework
From: "Andres Riancho" <andres.riancho () gmail com>
Date: Sun, 10 Jun 2007 15:20:29 -0300
List, I'm glad to present w3af ( Web Application Attack and Audit Framework ) , a fully automated auditing and exploiting framework for the web. This framework has been developed for almost a year and has the following features: Audit - SQL injection detection - XSS detection - SSI detection - Local file include detection - Remote file include detection - Buffer Overflow detection - Format String bugs detection - OS Commanding detection - Response Splitting detection - LDAP Injection detection - Basic Authentication bruteforce - File upload inside webrot - htaccess LIMIT misconfiguration - SSL certificate validation - XPATH injection detection - unSSL (HTTPS documents can be fetched using HTTP) - dav Discovery - Pykto, a nikto port to python - Hmap, http fingerprinting. - fingerGoogle, finds valid user accounts in google. - googleSpider, a spider that uses google. - webSpider, a classic web spider. - robotsReader - urlFuzzer - serverHeader, fetches server header - allowedMethods, gets a list of allowed HTTP methods. - crossDomain, get and parse the flash file crossdomain.xml - error404page, generate a regular expression to match 404 pages. - sitemapReader, read googles sitemap.xml and parse it. - spiderMan, using a localproxy and a human, find new URLs for auditing. - webDiff, find differences between a local and a remote directory. - wsdlFinder, find and parse WSDL and DISCO files. Grep - collectCookies - directoryIndexing - findComments - pathDisclosure - strangeHeaders - grep for pages using ajax and report them - domXss, find DOM cross site scripting vulnerabilities. - errorPages, search for eror pages that are too descriptive. - fileUpload, find forms with file upload capabilities. - getMails - http authentication detection - objects detection - privateIP disclosure detection - wsdlGreper, greps every page searching for WSDL documents. Output - console - htmlFile - textFile Mangle - sed, a stream editor for HTTP requests and responses. Evasion - reversedSlashes - rndCase - rndHexEncode - rndParam - rndPath - selfReference Attack - davShell - fileUploadShell - googleProxy - localFileReader - mysqlWebShell - osCommandingShell - remoteFileIncludeShell - rfiProxy - sqlmap - xssBeef The framework is extended using plugins and is completely written un python. More info can be found at: http://w3af.sf.net/ Cheers, -- Andres Riancho http://w3af.sourceforge.net/ Web App Attack and Audit Framework _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [TOOL] w3af - Web Application Attack and Audit Framework Andres Riancho (Jun 10)