This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Automated Audit using W3AF"
From OWASP
(Page creation) |
(Add notepad++ highlighter) |
||
| Line 66: | Line 66: | ||
</pre> | </pre> | ||
After the script runs, the audit report is available in the location defined in clause "'''set fileName'''" ("'''/tmp/W3afReport.html'''" in the script example). | After the script runs, the audit report is available in the location defined in clause "'''set fileName'''" ("'''/tmp/W3afReport.html'''" in the script example). | ||
| + | |||
| + | ==Script edition== | ||
| + | You can find below a highlighter for Notepad++ in order to help to edit W3AF script (copy/paste content into a file and import it into Notepad++). | ||
| + | <pre> | ||
| + | <NotepadPlus> | ||
| + | <UserLang name="W3AF Script" ext="w3af"> | ||
| + | <Settings> | ||
| + | <Global caseIgnored="yes" /> | ||
| + | <TreatAsSymbol comment="no" commentLine="no" /> | ||
| + | <Prefix words1="no" words2="no" words3="no" words4="no" /> | ||
| + | </Settings> | ||
| + | <KeywordLists> | ||
| + | <Keywords name="Delimiters">000000</Keywords> | ||
| + | <Keywords name="Folder+"></Keywords> | ||
| + | <Keywords name="Folder-"></Keywords> | ||
| + | <Keywords name="Operators"></Keywords> | ||
| + | <Keywords name="Comment"> 1 2 0#</Keywords> | ||
| + | <Keywords name="Words1">start plugins exploit profiles http­settings misc­settings target back assert help version keys view set</Keywords> | ||
| + | <Keywords name="Words2">mangle evasion discovery grep bruteforce audit output</Keywords> | ||
| + | <Keywords name="Words3"></Keywords> | ||
| + | <Keywords name="Words4"></Keywords> | ||
| + | </KeywordLists> | ||
| + | <Styles> | ||
| + | <WordsStyle name="DEFAULT" styleID="11" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="FOLDEROPEN" styleID="12" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="FOLDERCLOSE" styleID="13" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="KEYWORD1" styleID="5" fgColor="000080" bgColor="FFFFFF" fontStyle="3" /> | ||
| + | <WordsStyle name="KEYWORD2" styleID="6" fgColor="800040" bgColor="FFFFFF" fontStyle="3" /> | ||
| + | <WordsStyle name="KEYWORD3" styleID="7" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="KEYWORD4" styleID="8" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="COMMENT" styleID="1" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="COMMENT LINE" styleID="2" fgColor="008040" bgColor="FFFFFF" fontStyle="1" /> | ||
| + | <WordsStyle name="NUMBER" styleID="4" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="OPERATOR" styleID="10" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="DELIMINER1" styleID="14" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="DELIMINER2" styleID="15" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | <WordsStyle name="DELIMINER3" styleID="16" fgColor="000000" bgColor="FFFFFF" fontStyle="0" /> | ||
| + | </Styles> | ||
| + | </UserLang> | ||
| + | </NotepadPlus> | ||
| + | </pre> | ||
Revision as of 08:19, 14 January 2012
Last revision (mm/dd/yy): 01/12/2012
Description
This page have to objective to show a W3AF sample script to automate audit of a web application.
W3AF is a free and open source Web Application Attack and Audit Framework (W3AF homepage).
This script do not replace a manual audit but can be useful to perform a first validation.
Script
# ----------------------------------------------------------------------------------------------------------- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # ----------------------------------------------------------------------------------------------------------- http-settings set timeout 60 back plugins # Step 1 : Configure DISCOVERY plugins discovery serverHeader, dotNetErrors, webSpider discovery config serverHeader set execOneTime True back discovery config webSpider set onlyForward False set followRegex .* back # Step 2 : Configure AUDIT plugins audit LDAPi,eval,frontpage,generic,globalRedirect,phishingVector,responseSplitting,sqli,xpath,xsrf,xss,xst audit config xss set numberOfChecks 15 back # Step 3 : Configure GREP plugins grep error500, domXss, metaTags, dotNetEventValidation, findComments, pathDisclosure, collectCookies, errorPages, httpAuthDetect grep config domXss set simpleGrep False set smartGrep True back grep config metaTags set search404 False back grep config findComments set search404 False back # Step 4 : Configure OUTPUT plugins output htmlFile output config htmlFile set fileName /tmp/W3afReport.html set verbose False back back # Step 5 : Define target URL target set target PUT_YOUR_SITE_URL_HERE back # Step 6 : Start audit start exit
Run it
./w3af_console -s MyScript.w3af
After the script runs, the audit report is available in the location defined in clause "set fileName" ("/tmp/W3afReport.html" in the script example).
Script edition
You can find below a highlighter for Notepad++ in order to help to edit W3AF script (copy/paste content into a file and import it into Notepad++).
<NotepadPlus>
<UserLang name="W3AF Script" ext="w3af">
<Settings>
<Global caseIgnored="yes" />
<TreatAsSymbol comment="no" commentLine="no" />
<Prefix words1="no" words2="no" words3="no" words4="no" />
</Settings>
<KeywordLists>
<Keywords name="Delimiters">000000</Keywords>
<Keywords name="Folder+"></Keywords>
<Keywords name="Folder-"></Keywords>
<Keywords name="Operators"></Keywords>
<Keywords name="Comment"> 1 2 0#</Keywords>
<Keywords name="Words1">start plugins exploit profiles httpsettings miscsettings target back assert help version keys view set</Keywords>
<Keywords name="Words2">mangle evasion discovery grep bruteforce audit output</Keywords>
<Keywords name="Words3"></Keywords>
<Keywords name="Words4"></Keywords>
</KeywordLists>
<Styles>
<WordsStyle name="DEFAULT" styleID="11" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="FOLDEROPEN" styleID="12" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="FOLDERCLOSE" styleID="13" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="KEYWORD1" styleID="5" fgColor="000080" bgColor="FFFFFF" fontStyle="3" />
<WordsStyle name="KEYWORD2" styleID="6" fgColor="800040" bgColor="FFFFFF" fontStyle="3" />
<WordsStyle name="KEYWORD3" styleID="7" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="KEYWORD4" styleID="8" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="COMMENT" styleID="1" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="COMMENT LINE" styleID="2" fgColor="008040" bgColor="FFFFFF" fontStyle="1" />
<WordsStyle name="NUMBER" styleID="4" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="OPERATOR" styleID="10" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="DELIMINER1" styleID="14" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="DELIMINER2" styleID="15" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
<WordsStyle name="DELIMINER3" styleID="16" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
</Styles>
</UserLang>
</NotepadPlus>
