Difference between revisions of "OWASP NYC AppSec 2008 Conference-SPEAKER-Andres Riancho"

Revision as of 22:36, 29 November 2008

Andres Riancho - Bio

Andres Riancho is an experienced penetration tester, information security researcher and developer. He is the project leader of the w3af project; which aims to find and exploit all web application vulnerabilities. Since the public presentation of w3af in 2007, Andres has been invited to talk at international information security conferences in Europe, South America and North America.

Talk abstract

Web application auditing and exploiting is an art, but even art needs help of tools to make the process faster and more accurate. Right now open source tools like nikto, wapiti, pantera and others try to find vulnerabilities in web applications but lack many features and configuration options. Comercial tools have the features, at the expense of high product costs, and aren't as dynamic as open source projects.

w3af ( Web Application Attack and Audit Framework ) is an open source project that aims to automate the detection and explotation of all web application vulnerabilities. The project objective is to become an open platform where anyone can contribute with code and new technics. w3af is extended using plugins that are fully written in python, right now the project has more than 80 plugins and 30K lines of code!

The framework is divided into three phases: discovery, audit and attack. All plugins smoothly communicate with each other and work together to achieve the objective; w3af replaces standalone tools and makes web penetration testing as easy as possible; any wierd characteristic can be added as a plugin and consume all the features of the framework.

w3af implements many exploit plugins and features to aid this process, not less important are the discovery and audit plugins that will find those vulnerabilities for you to exploit! w3af one tool to rule them all.

My talk will introduce this tool to new users, while showing it's features and the new GUI.