w3af (Web Application audit and attack framework) is a framework for
auditing and exploitation of web applications. In this series of
articles we will be looking at almost all the features that w3af has to
offer and discuss how to use them for Web application Penetration
testing. In the first part of this series we will be working with w3af
console and getting ourselves familiar with the commands. We will also
be looking at the different types of plugins that w3af has to offer and
discuss how to use them for optimal performance.
Some of the major features of w3af are:
- - It has plugins that communicate with each other. For eg. the discovery plugin in w3af looks for different url’s to test for vulnerabilities and passes it on to the audit plugin which then uses these URL’s to search for vulnerabilities.
- - It removes some of the headaches involved in Manual web application testing through its Fuzzy and Manual request generator feature. It can also be configured to run as a MITM proxy. The requests intercepted can be sent to the request generator and then manual web application testing can be performed using variable parameters.
- - It also has features to exploit the vulnerabilities that it finds.
It is important to understand that no automated web application
scanner is perfect and false positives will always occur. With w3af the
first and the foremost step is to make sure that we have the latest
version. This is very important because w3af developers (Andres Riancho
and the w3af team) are constantly fixing bugs and hence it is very
important to make sure that we have the most bug free version. To open
up w3af console, type in the command as shown in the figure below.
More...
Fuente: resources.infosecinstitute.com
No hay comentarios:
Publicar un comentario