The Web Application Attack and Audit Framework (w3af) ) is a python open source framework for auditing and exploitation of web applications.
Some of the major features of w3af are:
1. It has plugins that communicate with each other. For eg. the discovery plugin in w3af looks for different url’s to test for vulnerabilities and passes it on to the audit plugin which then uses these URL’s to search for vulnerabilities.
2. Config to run as a Intercept proxy.
3. Exploit the web application vulnerabilities.
4. Output can be written to:
– Text, CSV, HTML and XML files
– Sent by email
w3af has two user interfaces, the console user interface and the graphical user interface. This guide will focus on the console user interface where it’s easier to explain the framework’s features.
Running w3af in console user interface
After installation, to run the console UI execute:
$ ./w3af_console w3af>>>
Run help command to see all command to configure framework and plugin settings, launch scans and ultimately exploit a vulnerability.
You also can use help <command> to show detailed help for that command.
This article, we will discuss to config to run web application audit in console user interface.
1. Config target
Config target that you want to run audit.
In target menu run command set target TARGET_URL
You also can use the tab key to view all command available in the current menu.
2. Config audit profile
W3af come with some profile, that already has properly configured plugins to run audit. To use profile, run command use PROFILE_NAME
For exmaple use profile OWASP_TOP10
w3af/profiles>>> use OWASP_TOP10
– bruteforce: Bruteforce form or basic authentication access controls using default credentials. To run this profile, set the target URL to the resource where the access control is, and then click on Start.
– audit_high_risk: Perform a scan to only identify the vulnerabilities with higher risk, like SQL Injection, OS Commanding, Insecure File Uploads, etc.
– full_audit: This profile performs a full audit of the target website, using only the web_spider plugin for crawling.
– OWASP_TOP10: The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. OWASP searched for and published the ten most common security flaws. This profile search for this top 10 security flaws. For more information about the security flaws: http://www.owasp.org/index.php/OWASP_Top_Ten_Project .
– fast_scan: Perform a fast scan of the target site, using only a few discovery plugins and the fastest audit plugins.
– empty_profile: This is an empty profile that you can use to start a new configuration from.
– web_infrastructure: Use all the available techniques in w3af to fingerprint the remote Web infrastructure.
– full_audit_spider_man: Perform a manual discovery using the spider_man plugin, and afterwards scan the site for any known vulnerabilities.
– sitemap: Use different online techniques to create a fast sitemap of the target web application. This plugin will only work if you’ve got internet access and the target web application is being spidered by Yahoo!
3. Config plugin
If you use empty_profile, w3af do not enable any plugin and this step is required before run audit or exploit.
3.1 Config audit plugin
– To enable all plugin run command: audit all or audit plugin1, plugin2 to enable any plugin you want
w3af/plugins>>> audit all
– To see information about plugin, run command: audit desc PLUGIN_NAME
audit desc file_upload
3.2 Config output plugin
– Config output console: By default w3af enable result to console, and verbose output. But if use verbose output you can’t see the vulnerabilities in output.
To disabe verbose mode, run command set verbose False in output plugin console configuration. Once the plugin and framework configuration is set, you must to save config before back to run audit (run save command).
– Config output to html file
4. Config HTTP
You can provide some HTTP setting to optimal w3af in the http-settings menu:
5. Run audit
After configuration, back to w3af menu and run command start to start audit
Following is an output saved in html file.
The above is a guide to running the w3af in console user interface to audit your web application, hope it can help you to ensure the security of your application.