This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Automated Audit using W3AF
From OWASP
Last revision (mm/dd/yy): 01/12/2012
Description
This page have to objective to show a W3AF sample script to automate audit of a web application.
W3AF is a free and open source Web Application Attack and Audit Framework (W3AF homepage).
This script do not replace a manual audit but can be useful to perform a first validation.
Script
# ----------------------------------------------------------------------------------------------------------- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # ----------------------------------------------------------------------------------------------------------- http-settings set timeout 60 back plugins # Step 1 : Configure DISCOVERY plugins discovery serverHeader, dotNetErrors, webSpider discovery config serverHeader set execOneTime True back discovery config webSpider set onlyForward False set followRegex .* back # Step 2 : Configure AUDIT plugins audit LDAPi,eval,frontpage,generic,globalRedirect,phishingVector,responseSplitting,sqli,xpath,xsrf,xss,xst audit config xss set numberOfChecks 15 back # Step 3 : Configure GREP plugins grep error500, domXss, metaTags, dotNetEventValidation, findComments, pathDisclosure, collectCookies, errorPages, httpAuthDetect grep config domXss set simpleGrep False set smartGrep True back grep config metaTags set search404 False back grep config findComments set search404 False back # Step 4 : Configure OUTPUT plugins output htmlFile output config htmlFile set fileName /tmp/W3afReport.html set verbose False back back # Step 5 : Define target URL target set target PUT_YOUR_SITE_URL_HERE back # Step 6 : Start audit start exit
Run it
./w3af_console -s MyScript.w3af
After the script runs, the audit report is available in the location defined in clause "set fileName" ("/tmp/W3afReport.html" in the script example).
