TUCoPS :: HP Unsorted W :: tb11242.htm

w3af - Web Application Attack and Audit Framework
w3af - Web Application Attack and Audit Framework
w3af - Web Application Attack and Audit Framework


List,

    I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

   Audit
         - SQL injection detection
         - XSS detection
         - SSI detection
         - Local file include detection
         - Remote file include detection
         - Buffer Overflow detection
         - Format String bugs detection
         - OS Commanding detection
         - Response Splitting detection
         - LDAP Injection detection
         - Basic Authentication bruteforce
         - File upload inside webrot
         - htaccess LIMIT misconfiguration
         - SSL certificate validation
         - XPATH injection detection
         - unSSL (HTTPS documents can be fetched using HTTP)
         - dav

    Discovery
         - Pykto, a nikto port to python
         - Hmap, http fingerprinting.
         - fingerGoogle, finds valid user accounts in google.
         - googleSpider, a spider that uses google.
         - webSpider, a classic web spider.
         - robotsReader
         - urlFuzzer
         - serverHeader, fetches server header
         - allowedMethods, gets a list of allowed HTTP methods.
         - crossDomain, get and parse the flash file crossdomain.xml
         - error404page, generate a regular expression to match 404 pages.
         - sitemapReader, read googles sitemap.xml and parse it.
         - spiderMan, using a localproxy and a human, find new URLs
for auditing.
         - webDiff, find differences between a local and a remote directory.
         - wsdlFinder, find and parse WSDL and DISCO files.

    Grep
         - collectCookies
         - directoryIndexing
         - findComments
         - pathDisclosure
         - strangeHeaders
         - grep for pages using ajax and report them
         - domXss, find DOM cross site scripting vulnerabilities.
         - errorPages, search for eror pages that are too descriptive.
         - fileUpload, find forms with file upload capabilities.
         - getMails
         - http authentication detection
         - objects detection
         - privateIP disclosure detection
         - wsdlGreper, greps every page searching for WSDL documents.

    Output
         - console
         - htmlFile
         - textFile

    Mangle
         - sed, a stream editor for HTTP requests and responses.

    Evasion
         - reversedSlashes
         - rndCase
         - rndHexEncode
         - rndParam
         - rndPath
         - selfReference

    Attack
         - davShell
         - fileUploadShell
         - googleProxy
         - localFileReader
         - mysqlWebShell
         - osCommandingShell
         - remoteFileIncludeShell
         - rfiProxy
         - sqlmap
         - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/ 

Cheers,

-- 
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH