{"id":95,"date":"2008-09-24T14:45:24","date_gmt":"2008-09-24T19:45:24","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=95"},"modified":"2008-09-24T16:00:35","modified_gmt":"2008-09-24T21:00:35","slug":"w3af-a-framework-to-own-the-web-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/24\/w3af-a-framework-to-own-the-web-owasp-appsec-nyc-2008\/","title":{"rendered":"w3af: A framework to own the Web &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader.\u00a0 w3af is an Open Source project (GPLv2).\u00a0 A script that evolved into a serious project.\u00a0 A vulnerability scanner.\u00a0 An exploitation tool.\u00a0 Found that the commercial tools were too pricey so developed a tool to make his job easier.<\/p>\n<p>Finds almost all web application vulnerabilities.\u00a0 Cross platform (written in python).\u00a0 Uses tactical exploitation techniques to discover new URLs and vulnerabilities.\u00a0 GTK and Console user interface.\u00a0 Web service support.\u00a0 Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more.\u00a0 WML Support (WAP).\u00a0 Really easy to extend.\u00a0 Synergy among plugins.\u00a0 Ability to find vulerabilities in query string, post data, URL filename, headers, file content (when uploading with forms) and web services.\u00a0 130 plugins and growing.\u00a0 Manual analysis web applications.<\/p>\n<p>w3af is divided into two main parts, the core and the plugins.\u00a0 The core coordinates the process and provides features that plugins consume.\u00a0 Plugins share information with each other using a knowledge base.\u00a0 Design patterns and objects everywhere!\u00a0 8 different types of plugins exist:<\/p>\n<ul>\n<li>Discovery Plugins: Find new URLs and create the corresponding fuzzable requests (webSpider, urlFuzzer, googleSpider, pykto)<\/li>\n<li>Discover plugins are run in a loop, the output of one discovery plugin is sent as input to the next plugin.\u00a0 This process continues until all plugins fail to find a new fuzzable request.<\/li>\n<li>Other discovery plugins try to fingerprint remote httpd, allowed HTTP methods, verify if the remote site has an HTTP load balancers.<\/li>\n<li>Audit Plugins: They take the output of discovery plugins and find vulnerabilities like [blind] SQL injection, XSS, buffer overflows<\/li>\n<li>Grep Plugins: These plugins grep every HTTP request and response to try to find information.\u00a0 Examples are findComments, passwordProfiling, privateIP, directoryIndexing, getMails, and lang.<\/li>\n<li>Attack Plugins: These plugins read the vuln objects from the KB and try to exploit.<\/li>\n<li>Output Plugins: They write messages to the console, html or text file.<\/li>\n<li>Mangle Plugins: They modify requests and responses based on regexs<\/li>\n<li>Evasion Plugins: They modify the requests to try to evade IDS detection<\/li>\n<li>Bruteforce Plugins: They try to bruteforce logins<\/li>\n<\/ul>\n<p>The presenter then demonstrated the w3af utility.\u00a0 Very clean looking GUI similar to many of the linux GUI&#8217;s available.\u00a0 Good use of tabs to separate various outputs.\u00a0 I haven&#8217;t used it, but it looks fairly intuitive.\u00a0 It has the ability to create exploit shells (OS, SQL, etc) just like I&#8217;ve seen with uber-expensive products like CoreImpact.\u00a0 Ability to use python statements in HTTP requests to iterate through different pages. Some really useful graphing.<\/p>\n<ul>\n<li>archiveDotOrg plugin: Searches archive.org for older versions of the site, links that were linked somewhere in the past and now are kept in the dark.\u00a0 Old and unmaintained sections are prone to vulnerabilities<\/li>\n<li>Use of PHP easter eggs to fingerprint the remote PHP version.\u00a0 Old and almost forgotten technique.\u00a0 Accurate fingerprinting.\u00a0 Almost nobody disables the eggs (expose_php=off)<\/li>\n<li>Good samaritan module: A faster way to exploit blind SQL injections!\u00a0 A funny way to exploit blind SQL injections!\u00a0 &#8220;Guiding the blind man&#8221;<\/li>\n<li>Virtual Daemon: Ever dreamed about using metasploit payloads to exploit web applications?\u00a0 Now you can do it!\u00a0 Coded a metasploit plugin that connects to a virtual daemon and sends the payload.\u00a0 The virtual daemon is run by a w3af attack plugin and receives the payload and creates a tiny ELF\/PE executable.<\/li>\n<li>w3afAgent: A reverse &#8220;VPN&#8221; that allows you to continue intruding into the target network.\u00a0 Send the w3afAgent client to the target host using a transfer handler (wget, tftp, echo).\u00a0 The cient connects back to w3af where the w3afAgent server runs a SOCKS daemon. (Just like CoreImpact!!!\u00a0 Freakin&#8217; sweet!)\u00a0 UDP traffic doesn&#8217;t work, but could.\u00a0 Raw sockets, and sniffing won&#8217;t work.<\/li>\n<li>Web 2.0 Support.\u00a0 w3af can analyze pages that make heavy use of JavaScript.\u00a0 THe manual solution available to achieve this task is the spiderMan plugin.\u00a0 Local proxy daemon.\u00a0 Analyzes requests and creates fuzzable requests.\u00a0 The user needs to navigate the JavaScript sections of the site.\u00a0 Supports JSON.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Future<\/strong><\/span><\/p>\n<ul>\n<li>Some level of javascript support (mozrepl)<\/li>\n<li>More stable core<\/li>\n<li>Less false positives\/negatives<\/li>\n<li>More attack plugins<\/li>\n<li>Better GTK user interface<\/li>\n<li>Better management report generation<\/li>\n<li>Long descriptions for vulnerabilities using OWASP attack information from the wiki.<\/li>\n<\/ul>\n<p>Site: http:\/\/w3af.sf.net<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader.\u00a0 w3af is an Open Source project (GPLv2).\u00a0 A script that evolved into a serious project.\u00a0 A vulnerability scanner.\u00a0 An exploitation tool.\u00a0 Found that the commercial tools were too pricey so developed a tool to [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127],"tags":[76,148,149,147,12,622,146,102],"class_list":["post-95","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","tag-application","tag-attack","tag-audit","tag-framework","tag-owasp","tag-security","tag-w3af","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1x","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/95","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=95"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/95\/revisions"}],"predecessor-version":[{"id":103,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/95\/revisions\/103"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=95"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=95"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=95"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}