Web Application Web Application Attack Attack and Audit Framework and Audit Framework By Prajwal Panchmahalkar
Jun 09, 2015
Web Application AttackWeb Application Attackand Audit Frameworkand Audit Framework
By Prajwal Panchmahalkar
W3af is a well known web attack and auditing framework.
•Very similar to Metasploit framework
W3af combines all necessary actions for a complete web attack.
•Mapping•Discovery•Exploitation
This puts the framework into three major plug-ins.
Web Service Support Exploits
•SQL injections(blind)
• OS commanding
• remote file inclusions
• local file inclusions
• XSS and more
A good harmony among plug-ins.
Discovery PluginDiscovery Plugin•URLS•Injection Points
Audit PluginAudit Plugin•Uses the above injection points•Sends crafted data to find vulnerabilities
Exploit PluginExploit Plugin•Exploits vulnerabilities found•Provides SQL dumps / remote shell is returned
Find all the URLs
•Create Fuzzable requestPlugins:
•WebSpider
•URL fuzzer
•Pykto
•GoogleFuzzer
They use the discovery plug-in outputs and find their respective vulnerabilities
•SQL Injection (blind)
•XSS
•Buffer Overflow
•Response Splitting
Grep every HTTP request and response
•findComments•passwordProfiling•privateIP•DirectoryIndexing•Getmails•lang
BruteForce•Bruteforce logins
Evasion•Modify the request to evade IDS detection
Mangle•Modify requests/responses based on regular expressions.
Output•Write logs .
THANKS TOTHANKS TO
ALLALL