“w3af” (Web Application Attack and Audit Framework) is a complete environment for auditing and attacking web applications. This environment provides a solid platform for auditing and penetration testing. The framework will work on all platforms that support Python (Linux, WinXP, Vista, OpenBSD, etc) For my testing, I opted to use the pre-configured Samurai LiveCD (which I will cover at a later time; also available in the BT4-beta) as I attempted to install w3af on my Vista machine, but simply ran into too many hiccups trying to get the GUI to run. Also for this reason, I decided to stick with the command line approach as it is also a very usable command system.

The core of w3af is about utilizing plug-ins. Plug-ins are categorized into three primary sections: discovery, audit, and attack.

Discovery plug-ins are just like they sound. They are used to find new URLs, forms, and any other potential injection point. A common example would be a web spider. Multiple plug-ins can be used in tandem to find each and every injection point that’s possible (within the plug-in’s limits).

Audit plug-ins continue the process and take all the data found from the discovery plug-ins and send specially crafted data in order to find vulnerabilities. One common example would be SQL injections.

The attack plug-ins’ primary goal is to actually exploit the vulnerabilities, the common output from here is either a shell or table dumps in the case of a SQL injection.

As mentioned earlier, w3af supports command line and GUI. For most of my testing, I stuck with the command line as this allowed me to easily see what exactly was going on underneath versus simply filling in blank parameters and clicking a button. Some could argue the GUI might be faster, but the commands required for w3af were very simple, and navigation and setting parameters was a breeze. w3af also supports batching commands together in scripts to help reduce redundant procedures.

w3af is a growing project. It just recently made it to the big 1.0 RC1 milestone. It has great support for addition, and the community is working hard to help expand the possibilities. Its integration into already proven tools is also a big step. I’m going to continue to follow its progress and look forward to bringing you a full on tutorial series very soon.

Direct Links: w3af Samurai BackTrack

Each Thursday (sometimes Friday when Tim is late posting), Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!