W3af - A Framework To Own The Web

This document discusses the w3af framework, which is an open source web application vulnerability scanner and exploitation tool. It has many features for discovering vulnerabilities like SQL injection and XSS, exploiting them, and performing tactical information gathering. The framework uses different plugin types and has a modular architecture.

Uploaded by

hugobenzaquen

Available Formats

Download as PPS, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

77 views

W3af - A Framework To Own The Web

Uploaded by

hugobenzaquen

Available Formats

Download as PPS, PDF, TXT or read online on Scribd

You are on page 1/ 28

A framework to 0wn the Web

Andrés Riancho
[email protected]

OWASP Poland - 2009

Copyright 2008 CYBSEC. All rights reserved.
andres@bonsai-sec:~$ whoami
 Web Application Security enthusiast
 Developer (python!)
 Open Source Evangelist
 With some knowledge in networking, IPS design and evasion
 w3af project leader
 Founder of Bonsai Information Security

2
w3af
 w3af stands for Web Application Attack and Audit
Framework
 An Open Source project (GPLv2)
 A set of scripts that evolved into a serious project
 A vulnerability scanner
 An exploitation tool

3
Main features
 Identifies almost all web application vulnerabilities
 Cross platform (written in python).
 GTK and Console user interface
 Really easy to extend

 Uses Tactical exploitation techniques to discover new URLs

and vulnerabilities
 Exploits [blind] SQL injections, OS commanding, remote
file inclusions, local file inclusions, XSS, unsafe file uploads
and more!

4
Main features
 Synergy among plugins

 Web Service support

 WML Support (WAP)
 Broken HTML support

 Number of plugins: 135 and growing

 Manual and automated analysis web applications
 MITM proxy
 Manual request editor
 Fuzzy request generator
5
Main features | Bad markup
 The Web is ugly, we
know it, and we
handle it the best
possible way.

 Beautiful Soup: an
HTML parser
optimized for screen-
scraping.

6
Main features | The HTTP fuzzer
 Parsing HTML, and fuzzing HTTP is harder than people
think. One simple case to think about:
 A form with 3 drop-down boxes, each with 10 options
and one text input. There is a SQL injection in the text
input, but only triggered when a particular
combination of the 3 drop-down boxes [1°, 3° , 9°] is
selected.
 Testing all combinations isn’t always an option, for
example when there is a drop-down box with ALL the
countries.
 w3af can be configured to use T, B, T-B , T-M-
B(default), All.
7
Architecture
 w3af is divided in two main parts, the core and the
plugins.

 The core coordinates the process and provides features

that plugins consume.

 Plugins find the vulnerabilities, and exploit them.

 Plugins share information with each other using a
knowledge base.

 Design patterns and objects everywhere !

8
Architecture
 8 different types of plugins exist:
 discovery
 audit
 grep
 attack
 output
 mangle
 evasion
 bruteforce

9
Plugins | Discovery
 They find new URLs , forms, etc. and create a complete
sitemap. The findings are saved in the core as fuzzable
requests. Examples of discovery plugins are:
 webSpider
 urlFuzzer
 googleSpider
 pykto

10
Plugins | Discovery
 They are run in a loop, the output of one discovery plugin
is sent as input to the next plugin. This process continues
until all plugins fail to find a new resource.

 This feature increases the

code coverage of each scan,
allowing the audit plugins to
find more vulnerabilities.

11
Plugins | Discovery
 Other discovery plugins try to fingerprint remote httpd, verify
if the remote site has an HTTP load balancer installed, etc.

 halberd
 hmap
 afd
 fingerprint_WAF

 I need some refactoring…

 Crawlers
 Infrastructure

12
Plugins | Audit
 They take the output of discovery plugins and find vulnerabilities like:
 [blind] SQL injection
 XSS
 Buffer overflows
 Response splitting.

 Vulnerabilities are identified using different methods, that vary on the

type of vulnerability being identified, but when possible, all methods
are used:
 Error based
 Time delay
 Creating a new resource
 Different responses (AND 1=1 , AND 1=2)

13
Plugins | Audit
 As vulnerabilities are found, they are saved as vuln objects in the
knowledge base.

 These vuln objects are then used as the input for attack plugins, that
will exploit the vulnerabilities.

14
Plugins | Grep
 These plugins grep every HTTP request and response to try to find
interesting information. Examples of grep plugins are:
 blankBody
 passwordProfiling
 privateIP
 directoryIndexing
 getMails
 error500

15
Plugins | Attack
 These plugins read the vuln objects from the KB and try
to exploit them. Examples of attack plugins are:
 sql_webshell
 davShell
 sqlmap
 xssBeef
 remote file include shell
 OS Commanding shell

16
Plugins | Others
 Output: They write messages to the console, html or text
file.
 Mangle: modify requests and responses based on regular
expressions.
 Evasion: modify the requests to try evade WAF detection.
 Bruteforce: They bruteforce logins (form and basic
authentication)

17
Tactical Exploitation
w3af has the following features related to tactical
exploitation:
 Search virtual hosts in MSN search
 Search email addresses in Google, MSN search and the
MIT Public Key Server.
 Password profiling
 Searches archive.org for old versions of the web
application, which may now be hidden (not linked).
 Searches Google, MSN search and Yahoo!.

18
Discovery and Bruteforce use case
 The following plugins are enabled:
 discovery.fingerGoogle
 discovery.webSpider
 grep.passwordProfiling
 bruteforce.formBruteAuth
 The fingerGoogle plugin searches Google in order to find email
addresses like [email protected].
 When the target is crawled using webSpider, the passwordProfiling
plugin identifies the most common words in the website.
 The bruteforce plugin will use the previously gathered information in
the bruteforce process:
 Usernames: from Google, and default dictionary.
 Passwords: site (www.domain.com ; domain.com ; domain), most
common words from password profiling plugin, default dictionary.
19


20


21


22
from __future__ import *
 Live scan:
 User browses the website through w3af
 w3af parses the requests, and sends them to audit
plugins in order to find vulnerabilities.
 The user can view findings in real time, while browsing
the target website.