Web Application AttackWeb Application Attackand Audit Frameworkand Audit Framework

By Prajwal Panchmahalkar

W3af is a well known web attack and auditing framework.

•Very similar to Metasploit framework

W3af combines all necessary actions for a complete web attack.

•Mapping•Discovery•Exploitation

This puts the framework into three major plug-ins.

Web Service Support Exploits

•SQL injections(blind)

• OS commanding

• remote file inclusions

• local file inclusions

• XSS and more

A good harmony among plug-ins.

Discovery PluginDiscovery Plugin•URLS•Injection Points

Audit PluginAudit Plugin•Uses the above injection points•Sends crafted data to find vulnerabilities

Exploit PluginExploit Plugin•Exploits vulnerabilities found•Provides SQL dumps / remote shell is returned

Find all the URLs

•Create Fuzzable requestPlugins:

•WebSpider

•URL fuzzer

•Pykto

•GoogleFuzzer

They use the discovery plug-in outputs and find their respective vulnerabilities

•SQL Injection (blind)

•XSS

•Buffer Overflow

•Response Splitting

Grep every HTTP request and response

•findComments•passwordProfiling•privateIP•DirectoryIndexing•Getmails•lang

BruteForce•Bruteforce logins

Evasion•Modify the request to evade IDS detection

Mangle•Modify requests/responses based on regular expressions.

Output•Write logs .

Prajwal Panchmahalkar

Team : Matriux ,n|u

l30@null.co.in

THANKS TOTHANKS TO

ALLALL