This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader.  w3af is an Open Source project (GPLv2).  A script that evolved into a serious project.  A vulnerability scanner.  An exploitation tool.  Found that the commercial tools were too pricey so developed a tool to make his job easier.

Finds almost all web application vulnerabilities.  Cross platform (written in python).  Uses tactical exploitation techniques to discover new URLs and vulnerabilities.  GTK and Console user interface.  Web service support.  Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more.  WML Support (WAP).  Really easy to extend.  Synergy among plugins.  Ability to find vulerabilities in query string, post data, URL filename, headers, file content (when uploading with forms) and web services.  130 plugins and growing.  Manual analysis web applications.

w3af is divided into two main parts, the core and the plugins.  The core coordinates the process and provides features that plugins consume.  Plugins share information with each other using a knowledge base.  Design patterns and objects everywhere!  8 different types of plugins exist:

  • Discovery Plugins: Find new URLs and create the corresponding fuzzable requests (webSpider, urlFuzzer, googleSpider, pykto)
  • Discover plugins are run in a loop, the output of one discovery plugin is sent as input to the next plugin.  This process continues until all plugins fail to find a new fuzzable request.
  • Other discovery plugins try to fingerprint remote httpd, allowed HTTP methods, verify if the remote site has an HTTP load balancers.
  • Audit Plugins: They take the output of discovery plugins and find vulnerabilities like [blind] SQL injection, XSS, buffer overflows
  • Grep Plugins: These plugins grep every HTTP request and response to try to find information.  Examples are findComments, passwordProfiling, privateIP, directoryIndexing, getMails, and lang.
  • Attack Plugins: These plugins read the vuln objects from the KB and try to exploit.
  • Output Plugins: They write messages to the console, html or text file.
  • Mangle Plugins: They modify requests and responses based on regexs
  • Evasion Plugins: They modify the requests to try to evade IDS detection
  • Bruteforce Plugins: They try to bruteforce logins

The presenter then demonstrated the w3af utility.  Very clean looking GUI similar to many of the linux GUI’s available.  Good use of tabs to separate various outputs.  I haven’t used it, but it looks fairly intuitive.  It has the ability to create exploit shells (OS, SQL, etc) just like I’ve seen with uber-expensive products like CoreImpact.  Ability to use python statements in HTTP requests to iterate through different pages. Some really useful graphing.

  • archiveDotOrg plugin: Searches archive.org for older versions of the site, links that were linked somewhere in the past and now are kept in the dark.  Old and unmaintained sections are prone to vulnerabilities
  • Use of PHP easter eggs to fingerprint the remote PHP version.  Old and almost forgotten technique.  Accurate fingerprinting.  Almost nobody disables the eggs (expose_php=off)
  • Good samaritan module: A faster way to exploit blind SQL injections!  A funny way to exploit blind SQL injections!  “Guiding the blind man”
  • Virtual Daemon: Ever dreamed about using metasploit payloads to exploit web applications?  Now you can do it!  Coded a metasploit plugin that connects to a virtual daemon and sends the payload.  The virtual daemon is run by a w3af attack plugin and receives the payload and creates a tiny ELF/PE executable.
  • w3afAgent: A reverse “VPN” that allows you to continue intruding into the target network.  Send the w3afAgent client to the target host using a transfer handler (wget, tftp, echo).  The cient connects back to w3af where the w3afAgent server runs a SOCKS daemon. (Just like CoreImpact!!!  Freakin’ sweet!)  UDP traffic doesn’t work, but could.  Raw sockets, and sniffing won’t work.
  • Web 2.0 Support.  w3af can analyze pages that make heavy use of JavaScript.  THe manual solution available to achieve this task is the spiderMan plugin.  Local proxy daemon.  Analyzes requests and creates fuzzable requests.  The user needs to navigate the JavaScript sections of the site.  Supports JSON.

Future

  • Some level of javascript support (mozrepl)
  • More stable core
  • Less false positives/negatives
  • More attack plugins
  • Better GTK user interface
  • Better management report generation
  • Long descriptions for vulnerabilities using OWASP attack information from the wiki.

Site: http://w3af.sf.net