Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration testing – W3AF Tool

Published byLeonard George Modified over 9 years ago

Similar presentations

Presentation on theme: "Penetration testing – W3AF Tool"— Presentation transcript:

1 Penetration testing – W3AF Tool
Pinzariu Marian – MISS 2 George Blendea – MISS 2

2 W3AF – About W3AF = Web Application Attack and Audit Framework
Started in 2006 as an Open Source Project Licensed under GPLv2.0 Entirely written using Python Recently the adopted development process was TDD (Test Driven Development)

3 W3AF – Objectives Create the biggest community of Web Application Hackers Become the best Open Source Web Application Scanner Become the best Web Application Exploitation Framework Combine static code analysis and black box testing into one framework

4 W3AF – Extensible with Plugins

5 W3AF – Vulnerability Detection (Over 200)
SQL Injection Cross Site Scripting/Cross-Site Request Forgery DOM XSS Buffer Overflow Brute Force Authentication Click Jacking Cross Domain Command Injection XPath Injection … and so on

6 W3AF – Supported Platforms
All Python supported platforms Has been tested in various Linux Distributions, Mac OSX, FreeBSD and OpenBSD Windows compatible, but not officially supported

7 W3AF – Ranking on sectools.org
From 125 tools

8 W3AF – Installation

9 W3AF Usage – Find XSS and SQL injections
1) Set Target URL

10 W3AF Usage – Find XSS and SQL injections
2) Activate plugins for vulnerabilities that we want to detect

11 W3AF Usage – Find XSS and SQL injections
3) Save current settings (Optional)

12 W3AF Usage – Find XSS and SQL injections
4) Click “Play” and explore the results

13 Use case 1 – Full audit Contains scans for a number of vulnerabilities
Xss, sqli, csrf, brute force

14 Use case 1 – Full audit Results are offered in tree view after scan is completed

15 Use case 1 – Full audit Request and location is indicated
alongside the tree view

16 Use case 1 – Full audit The w3af UI also returns an URL
map on scan completion

17 USE Case 2 – Brute force – Console interface
The console interface is straightforward For performing a bruteforce vulnerability scan the brutefoce plugins have to be enabled Auth plugins can also be enabled for a deeper scan

18 USE Case 2 – Brute force – Console interface
Once the target is set we can run the scan

19 W3AF – Comparison with other tools
W3AF, Wapiti, Arachni, Websecurify, JSky

20 W3AF – Comparison with other tools

21 W3AF – Comparison with other tools

22 W3AF – Comparison with other tools
3/4

23 W3AF – Comparison with other tools
Place 5/5

24 W3AF – Advantages/Disadvantages
Advantage: very modular and flexible (python plugins are easy to integrate) Disadvantage: not mature enough (number of false negatives is still high )

25 Thank you for your time!

Download ppt "Penetration testing – W3AF Tool"

Similar presentations

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland - 2009.

A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
Webgoat.

Webgoat.
Fuzzing for logic and state issues

Fuzzing for logic and state issues
Testing Web Applications & Services Testing Web Applications & Web Services.

Testing Web Applications & Services Testing Web Applications & Web Services.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing.

OUCC 2015 Inspiring Innovation Presentation: Secure Web Apps via Language Security Checklists, Project Management Principles, and Cyclic App Pen Testing.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training

Similar presentations

Ads by Google