Zum Inhalt

W3af Web Application Attack Framework Cheat Blatt

generieren

Überblick

W3af (Web Application Attack and Audit Framework) ist ein umfassender Sicherheitsscanner für Open-Source-Webanwendungen. Es bietet einen kompletten Rahmen, um Web-Anwendung Schwachstellen zu finden und auszunutzen, mit Entdeckung, Audit und Angriff Plugins für gründliche Sicherheitsbewertungen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.

Installation

Ubuntu/Debian Installation

```bash

Install dependencies

sudo apt update sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools

Install w3af

git clone https://github.com/andresriancho/w3af.git cd w3af

Install Python dependencies

pip3 install -r requirements.txt

Run dependency check

python3 w3af_console

Install missing dependencies if prompted

./w3af_dependency_install.sh ```_

Manuelle Installation

```bash

Clone repository

git clone https://github.com/andresriancho/w3af.git cd w3af

Install dependencies manually

sudo apt install python3-pip python3-dev python3-setuptools sudo apt install libxml2-dev libxslt1-dev zlib1g-dev sudo apt install libyaml-dev libssl-dev libffi-dev

Install Python packages

pip3 install --user -r requirements.txt

Test installation

python3 w3af_console ```_

Docker Installation

```bash

Pull Docker image

docker pull andresriancho/w3af

Run with Docker

docker run -it andresriancho/w3af

Run with volume mount

docker run -it -v $(pwd):/tmp/w3af andresriancho/w3af ```_

Das ist der Grund.

```bash

W3af is pre-installed in Kali

w3af_console

If not installed

sudo apt update sudo apt install w3af ```_

Basisnutzung

Benutzeroberfläche

```bash

Start w3af console

w3af_console

GUI interface (if available)

w3af_gui

Help commands

w3af>>> help w3af>>> help plugins w3af>>> help target ```_

Grundlegende Befehle

```bash

Set target

w3af>>> target w3af/config:target>>> set target http://target.com/ w3af/config:target>>> back

View current configuration

w3af>>> target view

Start scan

w3af>>> start

Exit

w3af>>> exit ```_

Plugin Kategorien

Discovery Plugins

| | Plugin | Description | | | --- | --- | | | web_spider | Web application spider | | | | dir_file_bruter | Directory and file brute forcer | | | | dns_wildcard | DNS wildcard detection | | | | robots_txt | Robots.txt analyzer | | | | sitemap_xml | Sitemap.xml parser | | | | google_spider | Google search spider | | | | bing_spider | Bing search spider | |

Audit Plugins

| | Plugin | Description | | | --- | --- | | | sqli | SQL injection detection | | | | xss | Cross-site scripting detection | | | | csrf | Cross-site request forgery | | | | lfi | Local file inclusion | | | | rfi | Remote file inclusion | | | | os_commanding | OS command injection | | | | xpath | XPath injection | | | | ldapi | LDAP injection | |

Attack Plugins

| | Plugin | Description | | | --- | --- | | | sqlmap | SQL injection exploitation | | | | shell_shock | Shellshock exploitation | | | | file_upload | File upload exploitation | | | | dav | WebDAV exploitation | | | | rfi | Remote file inclusion exploitation | |

Konfiguration und Setup

Grundkonfiguration

```bash

Configure target

w3af>>> target w3af/config:target>>> set target http://target.com/ w3af/config:target>>> set target_os unix w3af/config:target>>> set target_framework php w3af/config:target>>> back

Configure HTTP settings

w3af>>> http-settings w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)" w3af/config:http-settings>>> set max_requests_per_second 10 w3af/config:http-settings>>> back ```_

Authentication Konfiguration

```bash

Basic authentication

w3af>>> http-settings w3af/config:http-settings>>> set basic_auth_user username w3af/config:http-settings>>> set basic_auth_passwd password w3af/config:http-settings>>> set basic_auth_domain target.com w3af/config:http-settings>>> back

Cookie authentication

w3af>>> http-settings w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token" w3af/config:http-settings>>> back

Custom headers

w3af>>> http-settings w3af/config:http-settings>>> set headers "Authorization: Bearer token123" w3af/config:http-settings>>> back ```_

Proxy Konfiguration

```bash

Configure proxy

w3af>>> http-settings w3af/config:http-settings>>> set proxy_address 127.0.0.1 w3af/config:http-settings>>> set proxy_port 8080 w3af/config:http-settings>>> set proxy_username proxy_user w3af/config:http-settings>>> set proxy_password proxy_pass w3af/config:http-settings>>> back ```_

Entdeckte Phase

Web Spider Konfiguration

```bash

Configure web spider

w3af>>> plugins w3af/plugins>>> discovery web_spider w3af/plugins>>> discovery config web_spider w3af/plugins/discovery/config:web_spider>>> set only_forward True | w3af/plugins/discovery/config:web_spider>>> set ignore_regex "..(jpg | jpeg | png | gif | pdf | zip)$" | w3af/plugins/discovery/config:web_spider>>> set follow_regex "." w3af/plugins/discovery/config:web_spider>>> back w3af/plugins>>> back ```_

Verzeichnis Brute Force

```bash

Configure directory brute forcer

w3af>>> plugins w3af/plugins>>> discovery dir_file_bruter w3af/plugins>>> discovery config dir_file_bruter w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True w3af/plugins/discovery/config:dir_file_bruter>>> back w3af/plugins>>> back ```_

Umfassende Discovery Setup

```bash

Enable multiple discovery plugins

w3af>>> plugins w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml w3af/plugins>>> discovery config web_spider w3af/plugins/discovery/config:web_spider>>> set only_forward False w3af/plugins/discovery/config:web_spider>>> back w3af/plugins>>> back ```_

Prüfungsphase

SQL Injection Detection

```bash

Configure SQL injection plugin

w3af>>> plugins w3af/plugins>>> audit sqli w3af/plugins>>> audit config sqli w3af/plugins/audit/config:sqli>>> set check_numeric True w3af/plugins/audit/config:sqli>>> set check_string True w3af/plugins/audit/config:sqli>>> back w3af/plugins>>> back ```_

Cross-Site Scripting (XSS)

```bash

Configure XSS plugin

w3af>>> plugins w3af/plugins>>> audit xss w3af/plugins>>> audit config xss w3af/plugins/audit/config:xss>>> set check_persistent_xss True w3af/plugins/audit/config:xss>>> set check_reflected_xss True w3af/plugins/audit/config:xss>>> back w3af/plugins>>> back ```_

Schwachstellen in der Datei

```bash

Configure LFI/RFI plugins

w3af>>> plugins w3af/plugins>>> audit lfi, rfi w3af/plugins>>> audit config lfi w3af/plugins/audit/config:lfi>>> set use_time_delay True w3af/plugins/audit/config:lfi>>> set use_echo True w3af/plugins/audit/config:lfi>>> back w3af/plugins>>> back ```_

Umfassendes Audit Setup

```bash

Enable all major audit plugins

w3af>>> plugins w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi w3af/plugins>>> back ```_

Angriffsphase

SQL Injection Exploitation

```bash

Configure SQLMap integration

w3af>>> plugins w3af/plugins>>> attack sqlmap w3af/plugins>>> attack config sqlmap w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap w3af/plugins/attack/config:sqlmap>>> set exploit_all True w3af/plugins/attack/config:sqlmap>>> back w3af/plugins>>> back ```_

Datei Upload Exploitation

```bash

Configure file upload attack

w3af>>> plugins w3af/plugins>>> attack file_upload w3af/plugins>>> attack config file_upload w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp w3af/plugins/attack/config:file_upload>>> back w3af/plugins>>> back ```_

Shell Access

```bash

Configure shell access

w3af>>> plugins w3af/plugins>>> attack shell_shock w3af/plugins>>> back

After successful exploitation

w3af>>> exploit w3af>>> shell shell>>> whoami shell>>> pwd shell>>> exit ```_

Ausgabe und Reporting

Ausgabekonfiguration

```bash

Configure output plugins

w3af>>> plugins w3af/plugins>>> output console, text_file, html_file w3af/plugins>>> output config text_file w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt w3af/plugins/output/config:text_file>>> set verbose True w3af/plugins/output/config:text_file>>> back w3af/plugins>>> back ```_

HTML Report Generation

```bash

Configure HTML report

w3af>>> plugins w3af/plugins>>> output html_file w3af/plugins>>> output config html_file w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html w3af/plugins/output/config:html_file>>> back w3af/plugins>>> back ```_

XML Bericht Generation

```bash

Configure XML report

w3af>>> plugins w3af/plugins>>> output xml_file w3af/plugins>>> output config xml_file w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml w3af/plugins/output/config:xml_file>>> back w3af/plugins>>> back ```_

Erweiterte Konfiguration

Individuelle Payloads

```bash

Create custom payload file

echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt

Configure custom payloads

w3af>>> plugins w3af/plugins>>> audit config sqli w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt w3af/plugins/audit/config:sqli>>> back w3af/plugins>>> back ```_

Form Authentication

```bash

Configure form authentication

w3af>>> plugins w3af/plugins>>> discovery form_auth w3af/plugins>>> discovery config form_auth w3af/plugins/discovery/config:form_auth>>> set username admin w3af/plugins/discovery/config:form_auth>>> set password password123 w3af/plugins/discovery/config:form_auth>>> set username_field username w3af/plugins/discovery/config:form_auth>>> set password_field password w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php w3af/plugins/discovery/config:form_auth>>> back w3af/plugins>>> back ```_

Sitzungsmanagement

```bash

Configure session handling

w3af>>> http-settings w3af/config:http-settings>>> set max_file_size 1000000 w3af/config:http-settings>>> set max_http_retries 3 w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> set headers_file /path/to/headers.txt w3af/config:http-settings>>> back ```_

Skript und Automatisierung

W3af Script Dateien

```python

Create w3af script file (scan_script.w3af)

target set target http://target.com/ back

plugins discovery web_spider, dir_file_bruter, robots_txt audit sqli, xss, csrf, lfi, rfi output console, text_file output config text_file set output_file /tmp/w3af_scan.txt back back

start ```_

Laufende Schriften

```bash

Run w3af script

w3af_console -s scan_script.w3af

Run with profile

w3af_console -p OWASP_TOP10

Run in batch mode

echo "target; set target http://target.com/; back; start"|w3af_console ```_

Python API Verwendung

```python

!/usr/bin/env python3

import w3af.core.controllers.w3afCore as w3afCore import w3af.core.data.kb.knowledgeBase as kb

Initialize w3af core

w3af = w3afCore.w3afCore()

Set target

target_url = "http://target.com/" w3af.target.set_target(target_url)

Configure plugins

w3af.plugins.set_plugins(['web_spider'], 'discovery') w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')

Start scan

w3af.start()

Get vulnerabilities

vulns = kb.kb.get_all_vulns() for vuln in vulns: print(f"Vulnerability: \\{vuln.get_name()\\}") print(f"URL: \\{vuln.get_url()\\}") print(f"Severity: \\{vuln.get_severity()\\}") print("---") ```_

Profile und Vorlagen

Eingebaute Profile

```bash

List available profiles

w3af>>> profiles w3af>>> profiles use OWASP_TOP10 w3af>>> profiles use fast_scan w3af>>> profiles use full_audit

View profile configuration

w3af>>> profiles view OWASP_TOP10 ```_

Benutzerdefinierte Profile erstellen

```bash

Save current configuration as profile

w3af>>> profiles w3af/profiles>>> save_as custom_profile

Load custom profile

w3af/profiles>>> use custom_profile w3af/profiles>>> back ```_

Profil Konfigurationsdateien

```python

Create custom profile file (custom_scan.pw3af)

[target] target = http://target.com/

[plugins] discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml audit = sqli, xss, csrf, lfi, rfi, os_commanding attack = sqlmap, file_upload

[discovery.web_spider] only_forward = False | ignore_regex = .*.(jpg | jpeg | png | gif | pdf | zip)$ |

[audit.sqli] check_numeric = True check_string = True

[output] output = console, text_file text_file.output_file = /tmp/custom_scan.txt ```_

Integration mit anderen Tools

Integration von Burp Suite

```bash

Configure w3af to use Burp as proxy

w3af>>> http-settings w3af/config:http-settings>>> set proxy_address 127.0.0.1 w3af/config:http-settings>>> set proxy_port 8080 w3af/config:http-settings>>> back

Export findings to Burp format

w3af>>> plugins w3af/plugins>>> output burp_export w3af/plugins>>> back ```_

Metasploit Integration

```bash

Export vulnerabilities for Metasploit

w3af>>> plugins w3af/plugins>>> output metasploit_export w3af/plugins>>> output config metasploit_export w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc w3af/plugins/output/config:metasploit_export>>> back w3af/plugins>>> back

Use in Metasploit

msfconsole -r /tmp/w3af_msf.rc ```_

OWASP ZAP Integration

```bash

Export to ZAP format

w3af>>> plugins w3af/plugins>>> output zap_export w3af/plugins>>> output config zap_export w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml w3af/plugins/output/config:zap_export>>> back w3af/plugins>>> back ```_

Leistungsoptimierung

Threading Konfiguration

```bash

Configure threading

w3af>>> misc-settings w3af/config:misc-settings>>> set max_discovery_time 600 w3af/config:misc-settings>>> set max_scan_time 3600 w3af/config:misc-settings>>> set thread_number 10 w3af/config:misc-settings>>> back ```_

Speicherverwaltung

```bash

Configure memory settings

w3af>>> misc-settings w3af/config:misc-settings>>> set max_file_size 1000000 w3af/config:misc-settings>>> set max_requests_per_second 20 w3af/config:misc-settings>>> back ```_

Grenzwerte

```bash

Configure rate limiting

w3af>>> http-settings w3af/config:http-settings>>> set max_requests_per_second 5 w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> back ```_

Fehlerbehebung

Gemeinsame Themen

```bash

SSL certificate issues

w3af>>> http-settings w3af/config:http-settings>>> set ignore_session_cookies True w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt w3af/config:http-settings>>> back

Memory issues

w3af>>> misc-settings w3af/config:misc-settings>>> set max_file_size 500000 w3af/config:misc-settings>>> set thread_number 5 w3af/config:misc-settings>>> back

Timeout issues

w3af>>> http-settings w3af/config:http-settings>>> set timeout 60 w3af/config:http-settings>>> set max_http_retries 5 w3af/config:http-settings>>> back ```_

Debug Mode

```bash

Enable debug output

w3af>>> misc-settings w3af/config:misc-settings>>> set debug True w3af/config:misc-settings>>> back

View debug information

w3af>>> kb w3af/kb>>> list vulns w3af/kb>>> list info w3af/kb>>> back ```_

Analyse der Ergebnisse

```bash

View w3af logs

tail -f ~/.w3af/w3af.log

Enable verbose logging

w3af>>> misc-settings w3af/config:misc-settings>>> set verbose True w3af/config:misc-settings>>> back ```_

Best Practices

Scannen von Strategie

  1. *Start mit Entdeckung: Verwenden Sie zunächst umfassende Discovery Plugins
  2. *Targeted auditing: Fokus Audit Plugins auf entdeckte Angriffsoberfläche
  3. *Graduelle Eskalation: Beginnen Sie mit sicheren Plugins, dann bewegen Sie sich zu intrusiven.
  4. *Regular-Updates: Halten Sie w3af und seine Plugins aktualisiert
  5. *Kundenspezifische Nutzlasten: Erstellen Sie benutzerdefinierte Payloads für bestimmte Anwendungen

Leistungsbetrachtungen

```bash

Optimized configuration for large applications

w3af>>> misc-settings w3af/config:misc-settings>>> set thread_number 15 w3af/config:misc-settings>>> set max_discovery_time 1800 w3af/config:misc-settings>>> set max_scan_time 7200 w3af/config:misc-settings>>> back

w3af>>> http-settings w3af/config:http-settings>>> set max_requests_per_second 10 w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> back ```_

Stealth Scanning

```bash

Stealth configuration

w3af>>> http-settings w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" w3af/config:http-settings>>> set max_requests_per_second 2 w3af/config:http-settings>>> set timeout 45 w3af/config:http-settings>>> back

w3af>>> misc-settings w3af/config:misc-settings>>> set thread_number 3 w3af/config:misc-settings>>> back ```_

Automatisierungsskripte

Umfassendes Scan-Script

```bash

!/bin/bash

TARGET=$1 OUTPUT_DIR="w3af_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p $OUTPUT_DIR

Create w3af script

cat > "$OUTPUT_DIR/scan.w3af" << EOF target set target $TARGET back

plugins discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath output console, text_file, html_file output config text_file set output_file $OUTPUT_DIR/w3af_report.txt back output config html_file set output_file $OUTPUT_DIR/w3af_report.html back back

start EOF

Run scan

echo "[+] Starting w3af scan for $TARGET" w3af_console -s "$OUTPUT_DIR/scan.w3af"

echo "[+] Scan complete. Results saved in $OUTPUT_DIR/" ```_

Batch-Scanning Script

```bash

!/bin/bash

TARGETS_FILE=$1 OUTPUT_BASE="w3af_batch_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGETS_FILE" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p $OUTPUT_BASE

while read target; do if [ ! -z "$target" ]; then echo "[+] Scanning $target" | target_dir="$OUTPUT_BASE/$(echo $target | sed 's | https\?:// | | ' | sed 's | / | _ | g')" | mkdir -p "$target_dir"

    cat > "$target_dir/scan.w3af" << EOF

target set target $target back

plugins discovery web_spider, dir_file_bruter audit sqli, xss, csrf output text_file output config text_file set output_file $target_dir/report.txt back back

start EOF

    w3af_console -s "$target_dir/scan.w3af"
fi

done < $TARGETS_FILE

echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/" ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von W3af. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Berechtigung haben, bevor Sie Web-Anwendung Sicherheitstests durchführen. *