w3af - Web Application Attack and Audit Framework
There're many commercial grade web-scanners. Normally they need a Windows-based environment and have got huge enterprise orientated feature-sets. I can't say that w3af is comparable. Nevertheless I think this is an interesting tool to test for potential errors and misconfigurations - not just on a private level. w3af has got professional project objectives and even fills useable basic reports linked to an internal knowledge base. - But NDepend (free proprietary version available) or Acunetix (free proprietary version available, too), to mention two typical web-app testing frameworks, provide better report management and organize information more business-suited. At least that's what I think.
But as I already mentioned: I don't think that w3af necessarily has to be comparable: just add it to your suite of tools. It's free and does a lot.
What does it do?
There're certain web-app vulnerabilities you can audit automatically: XSS, SQL injection, web-server auditing, spidering, infrastructure tests... It's absolutely possible to automate CSRF auditing too, and this should be done now.
But it's definitely impossible to bring intelligence into these auto-processes - at least for now and I explicitly want to avoid fuzzy-logic based decisions here or similar stuff. Which simply means: automation is nice to have, and in case of this framework very far developed. There're hundreds of plugins. But the engineer has to deeply consider how to choose these. They have got different purposes, options and use-cases. A fine-tuned configuration here is very essential for w3af. You have to know what you're looking for/after before you fire up these scans. Otherwise these scans will take days - and you won't get results; or they may harm your system.
That's something where w3af amazingly differs from other scanners: you have got full control and power. Latter even for attacking. You can use very advanced exploitation techniques and even insert Metasploit payloads. You can use BeEF, gain an OS command-shell...
Give it a try! Or two.
I chose a lighttpd 4.13 on a 2.6.26.3 Debian Edge box with PHP 5.2.0-8, a php-based Dokuwiki. Directory indexing is disabled for most folders. So what happens in general? First of all the framework accesses the resource of course, but uses its own user-agent signature. I assume this is configureable (I didn't find out jet), because for behavior statistics blacklisting the framework otherwise would be too easy. By default it doesn't cloak itself by sending Mozilla's or IE's browser ID.
Hmap is used for web-server fingerprinting, pykto (python-nikto) for auditing its features:
The most accurate fingerprint for this HTTP server is: "Zope/(Zope 2.6.0 ....) (Solaris 8)".
pykto plugin is using "Zope/(Zope 2.6.0 ....) (Solaris 8)" as the remote server type. This information was obtained by hmap plugin.
Okay... maybe the test-case is too hard, maybe my configuration was too stupid. - Try more often. Would be a good idea. So I changed some configurations. Surprise: the reports gets overwritten. Without questions. That's lame! Then I fired up the GUI because I needed to learn how to use this tool:
that looks sweet as!
That directly showed me: "Hey, you want to audit OWASP top 10!" Right? Sure...
whoops?
And with pre-configured profiles everything works fine. Web-server fingerprinting in the particular case, as I found out, is not easy.
The vulnerability classification of course - as shown on the screenshot here - is global and theoretical. But that's intelligently linked with the documentation. So browsing the results is made up easy, the logs are detailed and the findings marked appropriately to their potential danger. And yes, of course it's just potential. We just can manage risks we know about.
Furthermore interesting: w3af is completely scriptable, it's offering countless features via a Metasploit-like commandline and a Xenmap like GUI. It's using graphs to show results, what makes me love this tool, and wanting to try this for great infrastructures. Report management is strange, but I guess if you really need a report, you'll create it.
Learn something now - and prevent something tomorrow
A good idea might be now to check out Irongeek's collection of deliberately insecure web-apps, especially Mutillidae (fantastic stuff), the Foundstone stuff, or OWASP Web-goat.
But an even better idea is to look into the code (if it's open) and to see the way these vulnerabilities evolved to be critical. It's senseless to learn how to click the GUI or to how use this kind of w3af-shell, if you can't bring better security into development processes. Securing web-stuff afterwards is extraordinary tricky; and post-(active)development security always has got certain weak-points. It may seem to be typical nowadays to have a web-application firewall or Mandatory Access Control in the OS backend to be able to still ensure host-security in case of a web-app compromisation. Sandboxing or even virtualization are some answers. But neither the right answers from a software developer's viewpoint, nor effective ones from a security perspective.
Have fun,
wishi
Post new comment