Testing your web application for vulnerabilities | Part 1

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. It is developed using Python to be easy to use and extend, and licensed under GPLv2.0. w3af is fully extensible and if you need a plugin that is not available, then you can simply create it yourself. w3af is already installed in BackTrack 5.
 

> Open your BackTrack VM
 

> Select Applications -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Vulnerability Scanners -> w3af console or w3af gui.
 

In the example below we are going to use w3af’s web spider-crawler plugin.
 

Open w3af console and follow these steps to crawl your target.
 

Set your target

target

press enter.
 

set target http://target_url

press enter.
 

Go back

back

press enter.
 

Configure plugin

plugins

press enter.
 

discovery config webSpider

press enter.
 

view

press enter. For our example we are going to leave everything as it is.
 

Go back

back

press enter.
 

Enable webSpider plugin

discovery webSpider

press enter.
 

Check which discovery plugins are enabled

list discovery enabled

press enter. You should see webSpider in the list!
 

Select report format

output htmlFile

press enter. There are 8 format types. Type help for more info.
 

Start crawling
Go back

back

press enter.
 

start

press enter.
 

You can get more help on any step by executing

help

To cancel scanning hit ctrl+c and enter.
 

View the results
Open file report.html from folder /pentest/web/w3af.

%d bloggers like this: