The Web Application Attack and Audit Framework (w3af) is an open source framework for auditing and exploitation of web applications. For businesses whose IT budgets aren’t hefty enough to purchase proprietary, enterprise-class tools like IBM Security AppScan or Cenzic Hailstorm (now Trustwave App Scanner Enterprise), w3af is also highly effective and the price is right.
You can use w3af to identify over 200 vulnerabilities to reduce your site’s risk exposure. The framework is “proudly developed using Python and is easy to use and extend.”
In this post I’ll illustrate some of the features of w3af, and show you how to use to scan an application using the command line interface (CLI). w3af is a powerful and popular tool that is comparatively easy to use and extend.
In this article we will demonstrate of a scanning an application using CLI, overview of different plugins and how communication happens between different plugins.
w3af has a number of plugins, which can communicate with one another. For example, the Discovery plugin can identify different URLs for the application and pass its results to the Audit plugin, which can then use the URLs to search for vulnerabilities. The Exploit plugin can then be used to exploit any identified vulnerabilities.
w3af has a wide range of features, including fuzzing and manual request generation (great for manual web app testing). It can also be configured as a “man-in-the-middle” proxy, so that intercepted requests can be sent to the request generator to support manual web app testing.
To open up the w3af console, type the command shown below. You may be asked to update the w3af repository.
To list the available commands. type “help”:
To list the available plugins, type “plugins.” To see the list of command options available for a plugin, type the plugin name. For example, typing “keys” shows you the list of shortcut keys in w3af:
To get a help listing for any plugin, just type “help <PluginName>.” For example, to get details on the Discovery plugin, type “help Discovery”:
Discovery: The Discovery plugins crawls the specified application and finds URLs and forms that can be used by other plugins to locate vulnerabilities. There are many Discovery plugins available; e.g., spiderMan, hmap, googleSpider and so on. You can enable one or more plugins as needed. To see list of discovery plugins, just type “discovery.”
To get the information on the certain plugin we can type “discovery desc <pluginaname>.” For instance, if you want to see description for plugin xssedDotCom, type “discovery desc xssedDotCom.”
Some other commonly used discovery commands include:
- To enable more than one plugin: discovery plugin1, plugin2
- To enable all plugins: discovery all
- Removes all enabled plugins: discovery !all
- List enabled plugins: list discovery enabled
Audit: The Audit plugin identifies vulnerabilities on the URLs identified by the Discovery plugin. The Audit plugin can test for different types of vulnerabilities, like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. It performs its tests by injecting different sets of strings and verifying the responses.
To get information about the XSS plugin, type “audit desc xss.”
As the screen shot above shows, there are two configurable parameters available for the XSS plugin. To set numberOfChecks to a high number, type this command:
Grep: The Grep plugin works similarly to passive scanning, and helps to find interesting information by analyzing request and response. It can find out information like credit card information, forms with file upload functionality, email addresses, and so on. You can configure the various Grep plugins per your requirements. But make sure you enable the Discovery plugin; otherwise the Grep plugin will be of little use since it can only analyze request and response.
Output: The Output plugin can help you to see the results of your scans in various formats. w3af supports multiple formats, including XML, Console, HTML, text, and more. Different configuration parameters are available, like filename, verbosity, etc. For example, set Verbose to True to get detailed output on the scanned application.
Hopefully this brief introduction will encourage you to try running w3af against your applications, if only to get a sense of what vulnerabilities you need to address. That said, application vulnerability testing and exploitation is a professional specialty.
Depending on the information security risk associated with an application it’s often a good idea to engage a skilled third party to scan your critical applications or even review the source code. For more information, contact Pivot Point Security.