Maintaining a website can be a large task. On the security side of the day to day tasks for the site you usually patch the web server and check the logs for potential issues. There are many automated tools that are out there scanning the internet for vulnerable web servers to compromise. Typically a compromised web server is turned into a spam serving server. What about your web application that you use to serve your content? Can you trust that it does not allow the attacker access to your web server? This is where w3af comes in. w3af attempts to find vulnerabilities in your web application using known attack methods.
Let’s start w3af in Backtrack by navigating to /pentest/web/w3af and executing ./w3af_console.
Next we will set our target by entering the target configuration area. Type target and then press enter. To define our target type set target <your target address>.
Here is where the features of w3af really start to shine, setting our plugins. There is a vast amount of plugins that will help audit your web application. Lets first start with Audit. Type back to exit the target configuration area. Then type plugins to enter the plugins configuration area. Look through the list below and select what you would like to audit your site for. (Note: This is a complete list as of 6/15/11.)
| Audit | |
|---|---|
| Plugin name | Description |
| LDAPi | Find LDAP injection bugs. |
| blindSqli | Find blind SQL injection vulnerabilities. |
| buffOverflow | Find buffer overflow vulnerabilities. |
| dav | Verify if the WebDAV module is properly configured. |
| eval | Find insecure eval() usage. |
| fileUpload | Uploads a file and then searches for the file inside all known directories. |
| formatString | Find format string vulnerabilities. |
| frontpage | Tries to upload a file using frontpage extensions (author.dll). |
| generic | Find all kind of bugs without using a fixed database of errors. |
| globalRedirec | Find scripts that redirect the browser to any site. |
| htaccessMethods | Find misconfigurations in the “” configuration of Apache. |
| localFileInclude | Find local file inclusion vulnerabilities. |
| mxInjection | Find MX injection vulnerabilities. |
| osCommanding | Find OS Commanding vulnerabilities. |
| phishingVector | Find phishing vectors. |
| preg_replace | Find unsafe usage of PHPs preg_replace. |
| redos | Find ReDoS vulnerabilities. |
| remoteFileInclude | Find remote file inclusion vulnerabilities. |
| responseSplitting | Find response splitting vulnerabilities. |
| sqli | Find SQL injection bugs. |
| ssi | Find server side inclusion vulnerabilities. |
| sslCertificate | Check the SSL certificate validity (if https is being used). |
| unssl | Find out if secure content can also be fetched using http. |
| xpath | Find XPATH injection vulnerabilities. |
| xsrf | Find the easiest to exploit xsrf vulnerabilities. |
| xss | Find cross site scripting vulnerabilities. |
| xst | Find Cross Site Tracing vulnerabilities. |
For our example we will choose blindSqli, sqli, and xss. Type audit blindSqli sqli xss.
Now on to the Discovery plugins. Look through the list and select the ways you would like w3af to find your content.
| Discovery | |
|---|---|
| Plugin name | Description |
| afd | Find out if the remote web server has an active filter (IPS or WAF). |
| allowedMethods | Enumerate the allowed methods of an URL. |
| archiveDotOrg | Search archive.org to find new pages in the target site. |
| bing_spider | Search Bing to get a list of new URLs |
| content_negotiation | Use content negotiation to find new resources. |
| detectReverseProxy | Find out if the remote web server has a reverse proxy. |
| detectTransparentProxy | Find out if your ISP has a transparent proxy installed. |
| digitSum | Take an URL with a number ( index2.asp ) and try to find related files (index1.asp, index3.asp). |
| dir_bruter | Finds Web server directories by bruteforcing. |
| dnsWildcard | Find out if www.site.com and site.com return the same page. |
| domain_dot | Send a specially crafted request with a dot after the domain (http://host.tld./) and analyze response. |
| dotNetErrors | Request specially crafted URLs that generate ASP.NET errors in order to gather information |
| favicon_identification | Identify server software using favicon. |
| findBackdoor | Find web backdoors and web shells. |
| findCaptchas | Identify captcha images on web pages. |
| findGit | Find GIT repositories |
| findvhost | Modify the HTTP Host header and try to find virtual hosts. |
| fingerBing | Search Bing to get a list of users for a domain. |
| fingerGoogle | Search Google using the Google API to get a list of users for a domain. |
| fingerPKS | Search MIT PKS to get a list of users for a domain. |
| fingerprint_WAF | Identify if a Web Application Firewall is present and if possible identify the vendor and version. |
| fingerprint_os | Fingerprint the remote operating system using the HTTP protocol. |
| frontpage_version | Search FrontPage Server Info file and if it finds it will determine its version. |
| ghdb | Search Google for vulnerabilities in the target site. |
| googleSpider | Search google using google API to get new URLs |
| halberd | Identify if the remote server has HTTP load balancers. |
| hmap | Fingerprint the server type, i.e apache, iis, tomcat, etc. |
| http_vs_https_dist | Determines the network distance between the http and https ports for a target. |
| importResults | Import URLs found by other tools. |
| oracleDiscovery | Find Oracle applications on the remote web server. |
| phishtank | Search the phishtank.com database to determine if your server is (or was) being used in phishing scams. |
| phpEggs | Fingerprint the PHP version using documented easter eggs that exist in PHP. |
| phpinfo | Search PHP Info file and if it finds it will determine the version of PHP. |
| pykto | A nikto port to python. |
| ria_enumerator | Fingerprint Rich Internet Apps – Google Gears Manifest files, Silverlight and Flash. |
| robotsReader | Analyze the robots.txt file and find new URLs |
| serverHeader | Identify the server type based on the server header. |
| serverStatus | Find new URLs from the Apache server-status cgi. |
| sharedHosting | Use Bing search to determine if the website is in a shared hosting. |
| sitemapReader | Analyze the sitemap.xml file and find new URLs |
| slash | Identify if the resource http://host.tld/spam/ and http://host.tld/spam are the same. |
| spiderMan | SpiderMan is a local proxy that will collect new URLs. |
| urlFuzzer | Try to find backups, and other related files. |
| urllist_txt | Analyze the urllist.txt file and find new URLs |
| userDir | Try to find user directories like “http://test/~user/” and identify the remote OS based on the remote users. |
| webDiff | Compare a local directory with a remote URL path. |
| webSpider | Crawl the web application. |
| wordnet | Use the wordnet lexical database to find new URLs. |
| wordpress_fingerprint | Finds the version of a WordPress installation. |
| wsdlFinder | Find web service definitions files. |
| xssedDotCom | Search in xssed.com to find xssed pages. |
| yahooSiteExplorer | Search Yahoo’s index using Yahoo site explorer to get a list of URLs |
| zone_h | Find out if the site was defaced in the past. |
Use your knowledge of your website to pick which discovery methods are best. If your site doesn’t have an IDS or WAF then using the afd would waste time and add un-useful information to your report. For our example we will choose phpinfo, serverHeader, and afd. Type discovery phpinfo serverHeader afd.
Then finally choosing the output plugin. Below is a list of plugins available.
| Output | |
|---|---|
| Plugin name | Description |
| console | Print messages to the console. |
| gtkOutput | Saves messages to kb.kb.getData(‘gtkOutput’, ‘queue’), messages are saved in the form of objects. |
| htmlFile | Print all messages to a HTML file. |
| textFile | Prints all messages to a text file. |
| xmlFile | Print all messages to a xml file. |
For our example we are going to use the htmlFile plugin which will give us a nice and neat report via HTML. Type output htmlFile.
There are a few other plugin groups available that may be useful when you are auditing your web application. The mangle plugin called sed allows for manipulation of http requests and responses. The evasion plugins allow for evasion of WAFs, IDS/IPS, and hard coded checks of input. The bruteforce plugins allow for brute forcing of authentication into the web application. Lastly the grep plugins allow for string searches of the web application. The plugins are listed below.
| Mangle | |
|---|---|
| Plugin name | Description |
| sed | This plugin is a “stream editor” for http requests and responses. |
| Evasion | |
|---|---|
| Plugin name | Description |
| backSpaceBetweenDots | Insert between dots an ‘A’ and an BS control character which are cancelled each other when they are below |
| fullWidthEncode | Evade detection using full width encoding. |
| modsecurity | Evade detection using a mod_security vulnerability. |
| reversedSlashes | Change the slashes from / to \ |
| rndCase | Change the case of random letters. |
| rndHexEncode | Add random hex encoding. |
| rndParam | Add a random parameter. |
| rndPath | Add a random path to the URI. |
| selfReference | Add a directory self reference. |
| shiftOutShiftInBetweenDots | Insert between dots shift-in and shift-out control characters which are cancelled each other when they are below |
| BruteForce | |
|---|---|
| Plugin name | Description |
| basicAuthBrute | Bruteforce HTTP basic authentication. |
| formAuthBrute | Bruteforce HTML form authentication. |
| Grep | |
|---|---|
| Plugin name | Description |
| ajax | Grep every page for traces of Ajax code. |
| blankBody | Find responses with empty body. |
| codeDisclosure | Grep every page for code disclosure vulnerabilities |
| collectCookies | Grep every response for session cookies sent by the web application. |
| creditCards | This plugin detects the occurence of credit card numbers in web pages. |
| directoryIndexing | Grep every response for directory indexing problems. |
| domXss | Grep every page for traces of DOM XSS. |
| dotNetEventValidation | Grep every page and identify the ones that have viewstate and don’t have event validation. |
| error500 | Grep every page for error 500 pages that haven’t been identified as bugs by other plugins. |
| errorPages | Grep every page for error pages. |
| feeds | Grep every page and finds rss, atom, opml feeds. |
| fileUpload | Find HTML forms with file upload capabilities. |
| findComments | Find HTML comments. |
| formAutocomplete | Grep every page for detection of forms with ‘autocomplete’ capabilities containing password-type inputs. |
| getMails | Find email accounts. |
| hashFind | Identify hashes in HTTP responses. |
| httpAuthDetect | Find responses that indicate that the resource requires auth. |
| httpInBody | Search for HTTP request/response string in response body. |
| lang | Read N pages and determines the language the site is written in. |
| metaTags | Grep every page for interesting meta tags. |
| motw | Identify whether the page is compliant to mark of the web. |
| objects | Grep every page for objects and applets. |
| oracle | Find Oracle applications. |
| passwordProfiling | Create a list of possible passwords by reading HTTP response bodies. |
| pathDisclosure | Grep every page for traces of path disclosure vulnerabilities. |
| privateIP | Find private IP addresses on the response body and headers. |
| ssn | This plugin detects the occurence of US Social Security numbers in web pages |
| strangeHTTPCode | Analyze HTTP response codes sent by the remote web application. |
| strangeHeaders | Grep headers for uncommon headers sent in HTTP responses. |
| strangeParameters | Grep the HTML response and find URIs that have strange parameters. |
| strangeReason | Analyze HTTP response reason (Not Found, Ok, Internal Server Error). |
| svnUsers | Grep every response for users of the versioning system. |
| user_defined_regex | Report a vulnerability if the respose matches a user defined regex. |
| wsdlGreper | Grep every page for web service definition files. |
A great resource to learn more about these plugins is located at the w3af website here.
Our next step is to start the scan against our web application. Type back to get out of the plugins configuration area. Then simply type start. The timing of the scan depends on the plugins you choose.
Our simple scan only revealed that we were scanning an Ubuntu box with Apache 2.2.14.
Try it out on your web application. You might be surprised at what w3af finds.