W3AF Tutorial (Part 2)

Overview
From the previous article we started a basic audit with w3af. This article we are going to discuss writing scripts to start an audit and then we will discuss some of the cool tools included in w3af. The next article will hopefully be about writing plugins. So stay tuned for that. There has been a new versions released on Oct 18th. This article deals with the previous version but none of the topics I have discussed have changed.

Writing StartUp scripts
If you have an audit configuration that you use over an over then scripts are a necessity. It is pain to have to set the same options for your output, auditing and discovery features if you use the same things all the time and only change the target. We will start with a script that you can configure to meet your needs.

Create a file named anything. I will call mine basic.w3af. you write the script the same way that you would actually navigate through w3af to set the settings. So the script below will set all out audit, discovery, and output plugins so that these do not need to be set up after we start w3af.

# Basic startup script
plugins
output console,htmlFile
output
output config htmlFile
set verbosity 10
back
output config console
set verbosity 5
back

# could change this to audit all but just doing Cross Site Scripting Now
audit xss
audit

discovery webSpider,pykto,hmap,allowedMethods
discovery
back

target
set target http://localhost:8081
back


You can also add start to the end of this file and it will automatically start profiling the target when run. To run just type:
>./w3af –s basic.w3af

Looks like this:

$ ./w3af -s basic.w3af
w3af>>> plugins
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> set verbosity 10
w3af/plugin/htmlFile>>> back
w3af/plugins>>> output config console
w3af/plugin/console>>> set verbosity 5
w3af/plugin/console>>> back
w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap,allowedMethods
w3af/plugins>>> discovery
Enabled discovery plugins:
allowedMethods
webSpider
hmap
pykto
w3af/plugins>>> back
w3af>>> target
w3af/target>>> set target http://localhost:8081
w3af/target>>> back
w3af>>>

Now just type start and your audit will begin.


Tools included in w3af
There are a few really cool tools in w3af. Move to the tools folder and list them.

w3af/tools>>> list
base64decode
base64encode
gencc
md5hash
sha1hash
urldecode
urlencode
w3af/tools>>>

With W3AF you can Generate Credit Card numbers and hashes. Open w3af and navigate to the tools folder. The gencc command can generate credit card numbers to test applications or what ever you want. It will generate the following card numbers
- mastercard
- visa16
- visa13
- amex
- discover
- diners
- enRoute
- jcb15
- jcb16
- voyager

Run the following commands to create a 16 digit visa CC#.

w3af/tools>>> run gencc -t visa16
Generated VISA 16 digit card:
4916740510259019
w3af/tools>>>

Create a sha1 hashes as follows:

w3af/tools>>> run sha1hash -e 49167405102590194916740510259019
4b52f4ce218c72a18e644f40550b2966767137c9
w3af/tools>>>

It also has feature to perform urlencoding and decoding which can come in handy when testing or auditing an application. These commands are simple enough…

w3af/tools>>> run urlencode
w3af - urlencoder

Options:
        -h      Print this help message.
        -s      Characters that should not be encoded, default is / .
        -e      String to be encoded.

Example: urlencode -s &% -e encodeMeNow

w3af/tools>>> run urldecode
w3af - urldecoder

Options:
   -h      Print this help message.
   -d      String to be decoded.

Example: urldecode -d decodeMeNow
w3af/tools>>>

That’s all I have so far. Currently working on w3af plugins and should have something ready soon to show. Please add any comments if you may have something to contribute or find any inaccuracies.

Slashdot It!