Zombies
Stories of zombies originated in the African Caribbean spiritual belief system of Voodoo, which told of the people being controlled as laborers by a powerful wizard.

Tools of the Trade: w3af

Posted: September 1st, 2009 | Author: Matt | Filed under: InfoSec, Tools | Tags: , , | No Comments »

Overview

We have all had to test the security of a web app at some stage in our life and there are a vast number of tools to get this job done. Whether it be something you have written yourself or something a third party has written. The list isn’t endless, but it certainly does a good job of trying to be. One of these tools is w3af. This expands rather nicely to “Web Application Attack and Audit Framework.” Think Metasploit but for web application testing and you’ll have the idea. It’s available as a single download, via apt in the unstable branch of Debian but best of all it’s built into our favourite toolkit BackTrack.

That’s great..now what ?

Now that we know kind of what it’s about and where we can get it, what the heck next ?
There are a couple of ways to work with w3af. You have your ever popular GUI (GTK based) which you can fire up from the CLI with ./w3af_gui. In my experiments with the tool I found that it tends to peg on some of the exploit tests so I stuck to the CLI interface. Let’s fire it up and take a look around. Run ./w3af_console from your w3af working directory. This will drop you into the CLI interface. If you have worked with Metasploit before you will be at home here.

Configuring your scan / Working with w3af

From the CLI your first stop will be the “target” option. Type in “target” and you’ll see the CLI prompt change to something like this:

w3af/config:target>>>

This means you’re now ready to configure your target options. This is done with the very intuitive “set target http://www.yourtarget.tld” . There are a couple of other options here, namely “targetFramework” and “targetOS” which I won’t cover simply because I have yet to use them in my tinkering. My advice is to download the manual (provided as a very tidy PDF file) and give that a once over. With the target type “back” to return to the previous menu screen. That is essentially how you navigate through the various menu items in w3af.

From here you have a number of options depending on what you want to do. Your next port of call is likely to be the “plugins” menu. This is where you define what you want to do in your w3af session. Some of the more exciting plugins include:

  • discovery
  • audit
  • exploit
  • evasion

I will leave it to you to go through and find out what each one does. Although, the names are fairly self descriptive.
One note of warning, BE VERY CAREFUL WITH THE DISCOVERY SCRIPTS !!!
If you don’t really know what you’re working with and use the discovery stuff, you could end up waiting for a unhealthy amount of time for your scan to finish. I have been burned by this. It’s not fun. Check the manual, because they give you some handy tips and guidelines on using the discovery plugin.

The most fun can be had with the “audit” plugin. There are a large number of audits you can run with w3af. The most interesting and the ones you will probably find yourself using the most are:

  • blindSqli – Blind SQL Injection vulnerabilities
  • sqli – regular SQL injection vulnerabilities
  • xss – Cross site scripting vulnerabilities
  • remoteFileInclude – Remote file include vulnerabilities

What you’ll do to enable an audit plugin is simply issue the “audit sqli” command. Of course these can be strung together if you want more than one (and you generally will), like so: “audit dav,eval,frontpage,etc,etc”
To check what audit plugins you have enabled, simply enter “audit” without any arguements.
Another thing to take note of is the “Conf” field in the audit list. This means that the audit plugin requires further configuration. This is done by issuing “audit config “. Now simply use “set” to set your extra parameters or “view” to view the existing parameters. Once you’re done, issue “back” to return to the previous menu…

One of the final options to play with is the “output” option under “plugins”. This will define where the output from the scan will go. A good one to use is “output console,htmlFile”. This will dump the output of your scan to the console (useful to real time monitoring) and to a neat little HTML file called “report.html”.

Once we have gone through all the configuration you will go back to the root of your CLI with the “back” command and issue the rather fun command “start” to start your scan. w3af will then begin scanning your target system with the various options you gave it and dump everything into a neat little report.

I realise I skimmed over alot of what w3af can do, but my aim was to give you enough so you can start playing around with the tool on your own. W3af isn’t the only tool to do what it does, but it is a good one to have in your “little bag ‘o tricks”. But quite possibly the best part of all of this ?

It can be scripted.

And I will leave it at that.

Thank you for your attention. Good night.