A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:
Audit
* SQL injection detection
* XSS detection
* SSI detection
* Local file include detection
* Remote file include detection
* Buffer Overflow detection
* Format String bugs detection
* OS Commanding detection
* Response Splitting detection
* LDAP Injection detection
* Basic Authentication bruteforce
* File upload inside webroot
* htaccess LIMIT misconfiguration
* SSL certificate validation
* XPATH injection detection
* unSSL (HTTPS documents can be fetched using HTTP)
Discovery
* Pykto, a nikto port to python
* Hmap, http fingerprinting.
* fingerGoogle, finds valid user accounts in google.
* googleSpider, a spider that uses google.
* webSpider, a classic web spider.
* robotsReader
* urlFuzzer
* serverHeader, fetches server header
* allowedMethods, gets a list of allowed HTTP methods.
* crossDomain, get and parse the flash file crossdomain.xml
* error404page, generate a regular expression to match 404 pages.
* sitemapReader, read googles sitemap.xml and parse it.
* spiderMan, using a localproxy and a human, find new URLs for auditing.
* webDiff, find differences between a local and a remote directory.
* wsdlFinder, find and parse WSDL and DISCO files.
The framework is extended using plug-ins and is completely written in Python.
You can download w3af here:
Or read more here.
0 Responses to “w3af - Web Application Attack and Audit Framework”