Automated Audit using w3af

This type of article aims to provide to development team a easy/quick way to perform automated audit tests against their web application projects over implementation phase.

This still needs a bit of work and better documentation, but is intended to be a similar resource to this skipfish page

Description
This page have to objective to show a w3af sample script to automate audit of a web application.

Description taken from website: w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

w3af homepage.

This script do not replace a manual audit but can be useful to perform a first validation.

Command To Run
w3af_console.bat -s my_site.w3af -n

Contents of my_site.w3af
plugins output console,xmlFile output config xmlFile set fileName my_site.xml set verbose True back output config console set verbose False back audit xss sqli blindSqli xsrf responseSplitting xpath osCommanding eval formatString LDAPi discovery webSpider discovery config webSpider set onlyForward True back back target set target http://my_site/index.php back http-settings set maxRetrys 0 set timeout 3 back start exit