Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.

Published byScarlett Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada."— Presentation transcript:

1 Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada

2 2 w3af ● w3af stands for Web Application Attack and Audit Framework ● A vulnerability scanner ● An exploitation tool ● An Open Source project (GPLv2) ● A script that evolved into a serious project CYBSEC Security Systems

3 3 Main features ● Finds common and uncommon web application vulnerabilities. ● Cross platform (written in python). ● Uses Tactical exploitation techniques to discover new URLs and vulnerabilities ● pyGTK and console user interface w3af.sf.net

4 4 Main features ● Web Service support ● Exploits [blind] SQL injections, OS commanding, remote file inclusions, local file inclusions, XSS, unsafe file uploads and more! ● WML Support (WAP) ● Really easy to extend ● Synergy among plugins CYBSEC Security Systems

5 5 Main features ● Ability to find vulnerabilities in query string, post data, URL filename ( http://a/f00_injectHere_b4r.do ), headers, file content (when uploading files with forms) JSON and web services. ● Number of plugins: 120+ and growing w3af.sf.net

6 6 Architecture ● w3af is divided in two main parts, the core and the plugins. ● The core coordinates the process and provides features that plugins consume. ● Plugins share information with each other using a knowledge base. ● Design patterns and objects everywhere ! CYBSEC Security Systems

7 7 Architecture ● 8 different types of plugins exist: – discovery – audit – grep – attack w3af.sf.net - output - mangle - evasion - bruteforce

8 8 Plugins | Discovery They find new URLs and create the corresponding fuzzable requests; examples of discovery plugins are: – webSpider – urlFuzzer – googleSpider – pykto CYBSEC Security Systems

9 9 Plugins | Audit They take the output of discovery plugins and find vulnerabilities like: – [blind] SQL injection – XSS – webDav misconfigurations – Response splitting As vulnerabilities are found, they are saved as vuln objects in the knowledge base. w3af.sf.net

10 10 Plugins | Attack These plugins read the vuln objects from the KB and try to exploit them. Examples of attack plugins are: – mySqlWebShell – davShell – sqlmap – xssBeef – remote file include shell CYBSEC Security Systems

11 11./w3af w3af.sf.net

12 12 Virtual daemon ● Ever dreamed about using metasploit payloads to exploit web applications ? NOW you can do it ! ● How it works: – I coded a metasploit plugin, that connects to a virtual daemon and sends the payload. – The virtual daemon is runned by a w3af attack plugin, it receives the payload and creates a tiny ELF / PE executable CYBSEC Security Systems

13 13 Virtual daemon ● How this works (contd.): – The attack plugin knows how to exec remote commands, and the virtual daemon knows how to upload the ELF/PE using “echo” or some other inband or outband method. – A new scheduled task is created to run the payload, and the metasploit plugin is ordered to wait – The payload is run on the remote server. w3af.sf.net

14 14 Virtual daemon ● How this works (contd.): – Normal communication between metasploit and the exploited service follows. CYBSEC Security Systems

15 15 Virtual daemon w3af - Virtual daemon payload w3af – Attack plugin ELF / PE Reverse Shell (interactive!) Metasploit Framework Web Application w3af.sf.net

16 16 Virtual daemon demo! CYBSEC Security Systems

17 17 w3afAgent ● A reverse “VPN” that allows you to continue intruding into the target network. ● How does it work? – I send the w3afAgent client to the target host using a transfer handler (wget, tftp, echo) – The client connects back to w3af, where the w3afAgent server runs a SOCKS daemon. w3af.sf.net

18 18 w3afAgent Web Application w3afAgent Client w3af w3afAgent Client Reverse connection w3afAgent Server w3afAgent Client Data forwarded using reverse connection w3afAgent Server SSH client with socks support SSH server in DMZ CYBSEC Security Systems

19 19 import __future__ ● Javascript support ● More stable core ● More attack plugins, refactoring of attacks. ● Better pyGTK user interface ● Better management report generation ● Long descriptions for vulnerabilities w3af.sf.net

20 20 Project information ● Site – http://w3af.sf.net/ ● Mailing list and sourceforge home – http://sourceforge.net/projects/w3af/ ● It's open source, you should contribute! ● Project leader contact – andres.riancho gmail.com – ariancho cybsec.com CYBSEC Security Systems

21 21 Project sponsors Platinum sponsor w3af.sf.net Gold sponsor

22 22 Questions? Feature requests ? ideas? Bug reports? contributions Rants about web2.0? i want flash support! Web Services hacking.

Download ppt "Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada."

Similar presentations

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland - 2009.

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Client and Server-Side Vulnerabilities Stephen Reese.

Client and Server-Side Vulnerabilities Stephen Reese.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room 345 05/11/10.

4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Ads by Google