Automated Audit using w3af

From OWASP
Revision as of 15:18, 1 May 2012 by Dancornell (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This type of article aims to provide to development team a easy/quick way to perform automated audit 
tests against their web application projects over implementation phase.

This still needs a bit of work and better documentation, but is intended to be a similar resource to this skipfish page

Description

This page have to objective to show a w3af sample script to automate audit of a web application.

Description taken from website:

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework
to find and exploit web application vulnerabilities that is easy to use and extend.

w3af homepage.


This script do not replace a manual audit but can be useful to perform a first validation.

Command To Run

w3af_console.bat -s my_site.w3af -n

Contents of my_site.w3af

plugins
output console,xmlFile
output config xmlFile
    set fileName my_site.xml
    set verbose True
    back
output config console
    set verbose False
    back
audit xss sqli blindSqli xsrf responseSplitting xpath osCommanding eval formatString LDAPi
discovery webSpider
    discovery config webSpider
        set onlyForward True
    back
back
target
    set target http://my_site/index.php
back
http-settings
    set maxRetrys 0
    set timeout 3
back
start
exit