W3af

De Linuxmemo.

http://w3af.org/

Framework d'Attaque et d'Audit d'Application Web (w3af),

Sommaire

[modifier] Install

git clone https://github.com/andresriancho/w3af.git
sudo apt-get -y install python-pip
sudo apt-get -y install npm libssl1.0-dev
/tmp/w3af_dependency_install.sh
  • via proxy 
vim /tmp/w3af_dependency_install.sh

ajouter le proxy en httpS 

sudo pip install --proxy "https://xxx.xxx.xxx.xxx:8080"  module

si nécessaire 

sudo pip install --proxy "https://xxx.xxx.xxx.xxx:8080" --timeout 30 module

[modifier] Config

  • plugin output 
w3af>>> plugins
w3af/plugins>>> output console,html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>>
w3af/plugins/output/config:html_file>>> help
w3af/plugins/output/config:html_file>>> view
w3af/plugins/output/config:html_file>>> save

output_file ~/report.html File name where this plugin will write to

[modifier] Script de démarrage

vim basic.w3af # accepte les "#" en commentaires

plugins
output config html_file
set output_file ~/w3af-report.html
set verbose False
view
back
output config console
set verbose False
view
back
output html_file
list output enabled
back
profiles
use full_audit
back
target
set target 

./w3af_console –s basic.w3af



view
back
output config console
set verbose False
view
back 
output html_file
list output enabled
mangle !all
infrastructure !all
bruteforce !all
audit !all
auth !all
evasion !all
grep !all
crawl !all
crawl content_negotiation digit_sum dir_file_bruter dot_listing find_backdoors find_dvcs genexus_xml robots_txt sitemap_xml url_fuzzer urllist_txt user_dir web_spider wordnet wsdl_finder

[modifier] Utilisation de la console

  • Plugins 
crawl desc phpinfo           # pour la description du plugins
crawl phpinfo robots_txt     # pour l'activation d'un ou plusieurs plugins
crawl !phpinfo               # pour désactiver un modules
crawl all !phpinfo           # pour activer tout les modules sauf phpinfo

audit config xss      # configuration d'un plugins
view
|-----------------------------------------------------------------------------|
| Setting        | Value | Description                                        |
|-----------------------------------------------------------------------------|
| persistent_xss | True  | Identify persistent cross site scripting           |
|                |       | vulnerabilities                                    |
|-----------------------------------------------------------------------------|
set persistent_xss False
  • profiles 
profiles
save_as tutorial self-contained
Profile saved.

~/.w3af/profiles
Récupérée de « http://linuxmemo.free.fr/index.php?title=W3af »
Outils personnels