WebApp Sec mailing list archives
[TOOL] w3af - Web Application Attack and Audit Framework
From: "Andres Riancho" <andres.riancho () gmail com>
Date: Sun, 10 Jun 2007 15:20:29 -0300
List, I'm glad to present w3af ( Web Application Attack and Audit Framework ) , a fully automated auditing and exploiting framework for the web. This framework has been developed for almost a year and has the following features: Audit - SQL injection detection - XSS detection - SSI detection - Local file include detection - Remote file include detection - Buffer Overflow detection - Format String bugs detection - OS Commanding detection - Response Splitting detection - LDAP Injection detection - Basic Authentication bruteforce - File upload inside webrot - htaccess LIMIT misconfiguration - SSL certificate validation - XPATH injection detection - unSSL (HTTPS documents can be fetched using HTTP) - dav Discovery - Pykto, a nikto port to python - Hmap, http fingerprinting. - fingerGoogle, finds valid user accounts in google. - googleSpider, a spider that uses google. - webSpider, a classic web spider. - robotsReader - urlFuzzer - serverHeader, fetches server header - allowedMethods, gets a list of allowed HTTP methods. - crossDomain, get and parse the flash file crossdomain.xml - error404page, generate a regular expression to match 404 pages. - sitemapReader, read googles sitemap.xml and parse it. - spiderMan, using a localproxy and a human, find new URLs for auditing. - webDiff, find differences between a local and a remote directory. - wsdlFinder, find and parse WSDL and DISCO files. Grep - collectCookies - directoryIndexing - findComments - pathDisclosure - strangeHeaders - grep for pages using ajax and report them - domXss, find DOM cross site scripting vulnerabilities. - errorPages, search for eror pages that are too descriptive. - fileUpload, find forms with file upload capabilities. - getMails - http authentication detection - objects detection - privateIP disclosure detection - wsdlGreper, greps every page searching for WSDL documents. Output - console - htmlFile - textFile Mangle - sed, a stream editor for HTTP requests and responses. Evasion - reversedSlashes - rndCase - rndHexEncode - rndParam - rndPath - selfReference Attack - davShell - fileUploadShell - googleProxy - localFileReader - mysqlWebShell - osCommandingShell - remoteFileIncludeShell - rfiProxy - sqlmap - xssBeef The framework is extended using plugins and is completely written un python. More info can be found at: http://w3af.sf.net/ Cheers, -- Andres Riancho http://w3af.sourceforge.net/ Web App Attack and Audit Framework ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- [TOOL] w3af - Web Application Attack and Audit Framework Andres Riancho (Jun 10)