[TOOL] w3af - Web Application Attack and Audit Framework

["Andres Riancho" <andres.riancho () gmail com>]

List,

   I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

  Audit
        - SQL injection detection
        - XSS detection
        - SSI detection
        - Local file include detection
        - Remote file include detection
        - Buffer Overflow detection
        - Format String bugs detection
        - OS Commanding detection
        - Response Splitting detection
        - LDAP Injection detection
        - Basic Authentication bruteforce
        - File upload inside webrot
        - htaccess LIMIT misconfiguration
        - SSL certificate validation
        - XPATH injection detection
        - unSSL (HTTPS documents can be fetched using HTTP)
        - dav

   Discovery
        - Pykto, a nikto port to python
        - Hmap, http fingerprinting.
        - fingerGoogle, finds valid user accounts in google.
        - googleSpider, a spider that uses google.
        - webSpider, a classic web spider.
        - robotsReader
        - urlFuzzer
        - serverHeader, fetches server header
        - allowedMethods, gets a list of allowed HTTP methods.
        - crossDomain, get and parse the flash file crossdomain.xml
        - error404page, generate a regular expression to match 404 pages.
        - sitemapReader, read googles sitemap.xml and parse it.
        - spiderMan, using a localproxy and a human, find new URLs
for auditing.
        - webDiff, find differences between a local and a remote directory.
        - wsdlFinder, find and parse WSDL and DISCO files.

   Grep
        - collectCookies
        - directoryIndexing
        - findComments
        - pathDisclosure
        - strangeHeaders
        - grep for pages using ajax and report them
        - domXss, find DOM cross site scripting vulnerabilities.
        - errorPages, search for eror pages that are too descriptive.
        - fileUpload, find forms with file upload capabilities.
        - getMails
        - http authentication detection
        - objects detection
        - privateIP disclosure detection
        - wsdlGreper, greps every page searching for WSDL documents.

   Output
        - console
        - htmlFile
        - textFile

   Mangle
        - sed, a stream editor for HTTP requests and responses.

   Evasion
        - reversedSlashes
        - rndCase
        - rndHexEncode
        - rndParam
        - rndPath
        - selfReference

   Attack
        - davShell
        - fileUploadShell
        - googleProxy
        - localFileReader
        - mysqlWebShell
        - osCommandingShell
        - remoteFileIncludeShell
        - rfiProxy
        - sqlmap
        - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

Cheers,

--
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------