Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [TOOL] w3af - Web Application Attack and Audit Framewo

from [Andres Riancho] Network Security [Permanent Link]
Subject: [Full-disclosure] [TOOL] w3af - Web Application Attack and Audit Framework
Date: Sun, 10 Jun 2007 15:20:29 -0300 
List,

    I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

   Audit
         - SQL injection detection
         - XSS detection
         - SSI detection
         - Local file include detection
         - Remote file include detection
         - Buffer Overflow detection
         - Format String bugs detection
         - OS Commanding detection
         - Response Splitting detection
         - LDAP Injection detection
         - Basic Authentication bruteforce
         - File upload inside webrot
         - htaccess LIMIT misconfiguration
         - SSL certificate validation
         - XPATH injection detection
         - unSSL (HTTPS documents can be fetched using HTTP)
         - dav

    Discovery
         - Pykto, a nikto port to python
         - Hmap, http fingerprinting.
         - fingerGoogle, finds valid user accounts in google.
         - googleSpider, a spider that uses google.
         - webSpider, a classic web spider.
         - robotsReader
         - urlFuzzer
         - serverHeader, fetches server header
         - allowedMethods, gets a list of allowed HTTP methods.
         - crossDomain, get and parse the flash file crossdomain.xml
         - error404page, generate a regular expression to match 404 pages.
         - sitemapReader, read googles sitemap.xml and parse it.
         - spiderMan, using a localproxy and a human, find new URLs
for auditing.
         - webDiff, find differences between a local and a remote directory.
         - wsdlFinder, find and parse WSDL and DISCO files.

    Grep
         - collectCookies
         - directoryIndexing
         - findComments
         - pathDisclosure
         - strangeHeaders
         - grep for pages using ajax and report them
         - domXss, find DOM cross site scripting vulnerabilities.
         - errorPages, search for eror pages that are too descriptive.
         - fileUpload, find forms with file upload capabilities.
         - getMails
         - http authentication detection
         - objects detection
         - privateIP disclosure detection
         - wsdlGreper, greps every page searching for WSDL documents.

    Output
         - console
         - htmlFile
         - textFile

    Mangle
         - sed, a stream editor for HTTP requests and responses.

    Evasion
         - reversedSlashes
         - rndCase
         - rndHexEncode
         - rndParam
         - rndPath
         - selfReference

    Attack
         - davShell
         - fileUploadShell
         - googleProxy
         - localFileReader
         - mysqlWebShell
         - osCommandingShell
         - remoteFileIncludeShell
         - rfiProxy
         - sqlmap
         - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

Cheers,

-- 
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [TOOL] w3af - Web Application Attack and Audit Framework, Andres Riancho <=
Previous by Date:  Re: Login credentials and session id security, Shaon Diwakar
Next by Date:  Re: Login credentials and session id security, David Wall
Previous by Thread:  OWASP and WASC Cocktail party at Blackhat USA 2007, Anurag Agarwal
Next by Thread:  [Full-disclosure] Paper: Secure file upload in PHP web applications, Alla Bezroutchko
Indexes:  [Date] [Thread] [Top] [All Lists]