W3af stands for Web Application Audit and Attack Framework. It is an open source, Python-based Web vulnerability scanner. It has a GUI and a command-line interface, both with the same functionality. In this recipe, we will perform a vulnerability scan using W3af's GUI to configure the scanning and reporting options.
- To start W3af, we can select it from the Applications menu by navigating to Applications | 03 Web Application Analysis | w3af. or from the terminal:
w3af_gui - In the Profiles section, we select full_audit.
- In the plugins section, go to crawl and select web_spider (the one that is checked) inside it.
- We don't want the scanner to test all the servers, just the application we tell it to. In the plugin description, check the only_forward option and click on Save.
- Now, we will tell W3af to generate an HTML report when the scan is finished. Go to output plugins and check html_file.
- To select the file name and where to save the report, modify the output_file option. Here we will use
w3af_report.htmlin root's home. Click on Save.
- Now, in the Target text box write the URL you want to test, which is
http://192.168.56.102/WackoPicko/in this case, and click on Start.
- The log tab will gain focus and we will be able to see the progress of our scan. We will wait for it to finish.
- When it is finished, switch to the Results tab, as shown:
- To view the generated report, open the (
w3af_report.html) HTML file in your browser:
W3af uses profiles to ease the task of selecting plugins for scanning; for example, one can define a SQL Injection-only profile that tests applications for SQL Injection and nothing else. The full_audit profile utilizes the plugins that perform a crawling test, extract a list of words that could be used as passwords, test for the most relevant Web vulnerabilities, such as XSS, SQLi, file inclusion, directory traversal, and so on. We modified the web_spider plugin to crawl in the forward direction only to prevent the scanning of other applications and focus on the one we want to test. We also modified the output plugin to generate an HTML report, in addition to the console output and text files.
W3af also has tools, such as an intercept proxy, fuzzer, text encoder/decoder, and request exporter that converts a raw request to a source code in multiple languages.
W3af's GUI may be a little unstable sometimes. In situations when it breaks down and is unable to finish a scan, there is a command-line interface (CLI) that has the exact same functionality. For example, to perform the same scan we just did, we will need to do the following from a terminal:
w3af_console profiles use full_audit back plugins output config html_file set output_file /root/w3af_report.html save back crawl config web_spider set only_forward True save back back target set target http://192.168.56.102/WackoPicko/ save back start