Automated Audit using W3AF

Last revision (mm/dd/yy): 01/12/2012

Description
This page have to objective to show a W3AF sample script to automate audit of a web application.

W3AF is a free and open source Web Application Attack and Audit Framework (W3AF homepage).

This script do not replace a manual audit but can be useful to perform a first validation.

Script content
http-settings set timeout 60 back plugins discovery serverHeader, dotNetErrors, webSpider discovery config serverHeader set execOneTime True back discovery config webSpider set onlyForward False set followRegex .* back audit LDAPi,eval,frontpage,generic,globalRedirect,phishingVector,responseSplitting,sqli,xpath,xsrf,xss,xst audit config xss set numberOfChecks 15 back grep error500, domXss, metaTags, dotNetEventValidation, findComments, pathDisclosure, collectCookies, errorPages, httpAuthDetect grep config domXss set simpleGrep False set smartGrep True back grep config metaTags set search404 False back grep config findComments set search404 False back output htmlFile output config htmlFile set fileName /tmp/W3afReport.html set verbose False back back target set target PUT_YOUR_SITE_URL_HERE back start exit
 * 1)                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
 * 1)                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
 * 1) Step 1 : Configure DISCOVERY plugins
 * 1) Step 2 : Configure AUDIT plugins
 * 1) Step 3 : Configure GREP plugins
 * 1) Step 4 : Configure OUTPUT plugins
 * 1) Step 5 : Define target URL
 * 1) Step 6 : Start audit

Script run
./w3af_console ­-s MyScript.w3af After the script runs, the audit report is available in the location defined in clause "set fileName" ("/tmp/W3afReport.html" in the script example).

Script edition
You can find below a highlighter for Notepad++ in order to help to edit W3AF script (copy/paste content into a file and import it into Notepad++).         000000    <Keywords name="Comment"> 1 2 0#</Keywords> <Keywords name="Words1">start plugins exploit profiles http&#x00AD;settings misc&#x00AD;settings target back assert help version keys view set</Keywords> <Keywords name="Words2">mangle evasion discovery grep bruteforce audit output</Keywords> <Keywords name="Words3"></Keywords> <Keywords name="Words4"></Keywords> </KeywordLists> <Styles> <WordsStyle name="DEFAULT" styleID="11" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="FOLDEROPEN" styleID="12" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="FOLDERCLOSE" styleID="13" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="KEYWORD1" styleID="5" fgColor="000080" bgColor="FFFFFF" fontStyle="3" /> <WordsStyle name="KEYWORD2" styleID="6" fgColor="800040" bgColor="FFFFFF" fontStyle="3" /> <WordsStyle name="KEYWORD3" styleID="7" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="KEYWORD4" styleID="8" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="COMMENT" styleID="1" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="COMMENT LINE" styleID="2" fgColor="008040" bgColor="FFFFFF" fontStyle="1" /> <WordsStyle name="NUMBER" styleID="4" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="OPERATOR" styleID="10" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="DELIMINER1" styleID="14" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="DELIMINER2" styleID="15" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> <WordsStyle name="DELIMINER3" styleID="16" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> </Styles> </UserLang> </NotepadPlus>