W3AF – Comparison with other tools

January 5, 2018 | Author: Anonymous | Category: Science, Physics, Mechanics, Force
Share Embed Donate


Short Description

Download W3AF – Comparison with other tools...

Description

Penetration testing – W3AF Tool Pinzariu Marian – MISS 2 George Blendea – MISS 2

W3AF – About

• W3AF = Web Application Attack and Audit Framework • Started in 2006 as an Open Source Project • Licensed under GPLv2.0 • Entirely written using Python • Recently the adopted development process was TDD (Test Driven Development)

W3AF – Objectives

• Create the biggest community of Web Application Hackers • Become the best Open Source Web Application Scanner • Become the best Web Application Exploitation Framework • Combine static code analysis and black box testing into one framework

W3AF – Extensible with Plugins

W3AF – Vulnerability Detection (Over 200)

• SQL Injection • Cross Site Scripting/Cross-Site Request Forgery • DOM XSS • Buffer Overflow • Brute Force Authentication • Click Jacking • Cross Domain • Command Injection • XPath Injection • … and so on

W3AF – Supported Platforms

• All Python supported platforms • Has been tested in various Linux Distributions, Mac OSX, FreeBSD and OpenBSD • Windows compatible, but not officially supported

W3AF – Ranking on sectools.org

• From 125 tools

W3AF – Installation

W3AF Usage – Find XSS and SQL injections

• 1) Set Target URL

W3AF Usage – Find XSS and SQL injections

• 2) Activate plugins for vulnerabilities that we want to detect

W3AF Usage – Find XSS and SQL injections

• 3) Save current settings (Optional)

W3AF Usage – Find XSS and SQL injections

• 4) Click “Play” and explore the results

USE CASE 1 – FULL AUDIT

• Contains scans for a number of vulnerabilities •

Xss, sqli, csrf, brute force

USE CASE 1 – FULL AUDIT

• Results are offered in tree view after scan is completed

USE CASE 1 – FULL AUDIT

• Request and location is indicated alongside the tree view

USE CASE 1 – FULL AUDIT

• The w3af UI also returns an URL map on scan completion

USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE • The console interface is straightforward • For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled

• Auth plugins can also be enabled for a deeper scan

USE CASE 2 – BRUTE FORCE – CONSOLE INTERFACE

• Once the target is set we can run the scan

W3AF – Comparison with other tools

• W3AF, Wapiti, Arachni, Websecurify, JSky

W3AF – Comparison with other tools

W3AF – Comparison with other tools

W3AF – Comparison with other tools

• 3/4

W3AF – Comparison with other tools

• Place 5/5

W3AF – Advantages/Disadvantages

• Advantage: very modular and flexible (python plugins are easy to integrate)

• Disadvantage: not mature enough (number of false negatives is still high - 2011)

Thank you for your time!

View more...

Comments

Copyright � 2017 NANOPDF Inc.
SUPPORT NANOPDF