Hoja de Referencia de W3af (Web Application Attack Framework)¶
Descripción General¶
W3af (Web Application Attack and Audit Framework) es un escáner de seguridad de aplicaciones web de código abierto y completo. Proporciona un marco completo para encontrar y explotar vulnerabilidades en aplicaciones web, con plugins de descubrimiento, auditoría y ataque para evaluaciones de seguridad exhaustivas.
⚠️ Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usarla contra cualquier objetivo.
Instalación¶
Instalación en Ubuntu/Debian¶
Instalación Manual¶
Instalación con Docker¶
Kali Linux¶
Uso Básico¶
Interfaz de Consola¶
Comandos Básicos¶
Categorías de Plugins¶
Plugins de Descubrimiento¶
Plugins de Auditoría¶
Plugins de Ataque¶
Configuración y Preparación¶
Configuración Básica¶
Configuración de Autenticación¶
Configuración de Proxy¶
Fase de Descubrimiento¶
Configuración de Spider Web¶
Fuerza Bruta de Directorios¶
Configuración de Descubrimiento Completo¶
Fase de Auditoría¶
Detección de Inyección SQL¶
Cross-Site Scripting (XSS)¶
Vulnerabilidades de Inclusión de Archivos¶
Configuración de Auditoría Completa¶
Would you like me to continue with more specific translations for the remaining sections?```bash
Install dependencies¶
sudo apt update sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools
Install w3af¶
git clone https://github.com/andresriancho/w3af.git cd w3af
Install Python dependencies¶
pip3 install -r requirements.txt
Run dependency check¶
python3 w3af_console
Install missing dependencies if prompted¶
./w3af_dependency_install.sh
### Manual Installation
```bash
# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install dependencies manually
sudo apt install python3-pip python3-dev python3-setuptools
sudo apt install libxml2-dev libxslt1-dev zlib1g-dev
sudo apt install libyaml-dev libssl-dev libffi-dev
# Install Python packages
pip3 install --user -r requirements.txt
# Test installation
python3 w3af_console
Docker Installation¶
# Pull Docker image
docker pull andresriancho/w3af
# Run with Docker
docker run -it andresriancho/w3af
# Run with volume mount
docker run -it -v $(pwd):/tmp/w3af andresriancho/w3af
Kali Linux¶
# W3af is pre-installed in Kali
w3af_console
# If not installed
sudo apt update
sudo apt install w3af
Basic Usage¶
Console Interface¶
# Start w3af console
w3af_console
# GUI interface (if available)
w3af_gui
# Help commands
w3af>>> help
w3af>>> help plugins
w3af>>> help target
Basic Commands¶
# Set target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> back
# View current configuration
w3af>>> target view
# Start scan
w3af>>> start
# Exit
w3af>>> exit
Plugin Categories¶
Discovery Plugins¶
| Plugin | Descripción |
|---|---|
web_spider |
Araña de aplicación web |
dir_file_bruter |
Forzador de directorios y archivos |
dns_wildcard |
Detección de comodín DNS |
robots_txt |
Analizador de Robots.txt |
sitemap_xml |
Analizador de Sitemap.xml |
google_spider |
Araña de búsqueda de Google |
bing_spider |
Araña de búsqueda de Bing |
| ### Audit Plugins | |
| Plugin | Descripción |
| -------- | ------------- |
sqli |
Detección de inyección SQL |
xss |
Detección de cross-site scripting |
csrf |
Falsificación de solicitud entre sitios (Cross-site request forgery) |
lfi |
Inclusión de archivos locales |
rfi |
Inclusión remota de archivos |
os_commanding |
Inyección de comandos de SO |
xpath |
Inyección de XPath |
ldapi |
Inyección LDAP |
| ### Attack Plugins | |
| Plugin | Descripción |
| -------- | ------------- |
sqlmap |
Explotación de inyección SQL |
shell_shock |
Explotación de Shellshock |
file_upload |
Explotación de carga de archivos |
dav |
Explotación de WebDAV |
rfi |
Explotación de inclusión remota de archivos |
| ## Configuration and Setup |
Basic Configuration¶
# Configure target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> set target_os unix
w3af/config:target>>> set target_framework php
w3af/config:target>>> back
# Configure HTTP settings
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)"
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> back
Authentication Configuration¶
# Basic authentication
w3af>>> http-settings
w3af/config:http-settings>>> set basic_auth_user username
w3af/config:http-settings>>> set basic_auth_passwd password
w3af/config:http-settings>>> set basic_auth_domain target.com
w3af/config:http-settings>>> back
# Cookie authentication
w3af>>> http-settings
w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token"
w3af/config:http-settings>>> back
# Custom headers
w3af>>> http-settings
w3af/config:http-settings>>> set headers "Authorization: Bearer token123"
w3af/config:http-settings>>> back
Proxy Configuration¶
# Configure proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> set proxy_username proxy_user
w3af/config:http-settings>>> set proxy_password proxy_pass
w3af/config:http-settings>>> back
Discovery Phase¶
Web Spider Configuration¶
# Configure web spider
w3af>>> plugins
w3af/plugins>>> discovery web_spider
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward True
w3af/plugins/discovery/config:web_spider>>> set ignore_regex ".*\.(jpg|jpeg|png|gif|pdf|zip)$"
w3af/plugins/discovery/config:web_spider>>> set follow_regex ".*"
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back
Directory Brute Force¶
# Configure directory brute forcer
w3af>>> plugins
w3af/plugins>>> discovery dir_file_bruter
w3af/plugins>>> discovery config dir_file_bruter
w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt
w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js
w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True
w3af/plugins/discovery/config:dir_file_bruter>>> back
w3af/plugins>>> back
Comprehensive Discovery Setup¶
# Enable multiple discovery plugins
w3af>>> plugins
w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward False
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back
Audit Phase¶
SQL Injection Detection¶
# Configure SQL injection plugin
w3af>>> plugins
w3af/plugins>>> audit sqli
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set check_numeric True
w3af/plugins/audit/config:sqli>>> set check_string True
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back
Cross-Site Scripting (XSS)¶
# Configure XSS plugin
w3af>>> plugins
w3af/plugins>>> audit xss
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> set check_persistent_xss True
w3af/plugins/audit/config:xss>>> set check_reflected_xss True
w3af/plugins/audit/config:xss>>> back
w3af/plugins>>> back
File Inclusion Vulnerabilities¶
# Configure LFI/RFI plugins
w3af>>> plugins
w3af/plugins>>> audit lfi, rfi
w3af/plugins>>> audit config lfi
w3af/plugins/audit/config:lfi>>> set use_time_delay True
w3af/plugins/audit/config:lfi>>> set use_echo True
w3af/plugins/audit/config:lfi>>> back
w3af/plugins>>> back
Comprehensive Audit Setup¶
# Enable all major audit plugins
w3af>>> plugins
w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi
w3af/plugins>>> back
Attack Phase¶
SQL Injection Exploitation¶
# Configure SQLMap integration
w3af>>> plugins
w3af/plugins>>> attack sqlmap
w3af/plugins>>> attack config sqlmap
w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap
w3af/plugins/attack/config:sqlmap>>> set exploit_all True
w3af/plugins/attack/config:sqlmap>>> back
w3af/plugins>>> back
File Upload Exploitation¶
# Configure file upload attack
w3af>>> plugins
w3af/plugins>>> attack file_upload
w3af/plugins>>> attack config file_upload
w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp
w3af/plugins/attack/config:file_upload>>> back
w3af/plugins>>> back
Shell Access¶
# Configure shell access
w3af>>> plugins
w3af/plugins>>> attack shell_shock
w3af/plugins>>> back
# After successful exploitation
w3af>>> exploit
w3af>>> shell
shell>>> whoami
shell>>> pwd
shell>>> exit
Output and Reporting¶
Output Configuration¶
# Configure output plugins
w3af>>> plugins
w3af/plugins>>> output console, text_file, html_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
w3af/plugins>>> back
HTML Report Generation¶
# Configure HTML report
w3af>>> plugins
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html
w3af/plugins/output/config:html_file>>> back
w3af/plugins>>> back
XML Report Generation¶
# Configure XML report
w3af>>> plugins
w3af/plugins>>> output xml_file
w3af/plugins>>> output config xml_file
w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml
w3af/plugins/output/config:xml_file>>> back
w3af/plugins>>> back
Advanced Configuration¶
Custom Payloads¶
# Create custom payload file
echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt
# Configure custom payloads
w3af>>> plugins
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back
Form Authentication¶
# Configure form authentication
w3af>>> plugins
w3af/plugins>>> discovery form_auth
w3af/plugins>>> discovery config form_auth
w3af/plugins/discovery/config:form_auth>>> set username admin
w3af/plugins/discovery/config:form_auth>>> set password password123
w3af/plugins/discovery/config:form_auth>>> set username_field username
w3af/plugins/discovery/config:form_auth>>> set password_field password
w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php
w3af/plugins/discovery/config:form_auth>>> back
w3af/plugins>>> back
Session Management¶
# Configure session handling
w3af>>> http-settings
w3af/config:http-settings>>> set max_file_size 1000000
w3af/config:http-settings>>> set max_http_retries 3
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file /path/to/headers.txt
w3af/config:http-settings>>> back
Scripting and Automation¶
W3af Script Files¶
# Create w3af script file (scan_script.w3af)
target
set target http://target.com/
back
plugins
discovery web_spider, dir_file_bruter, robots_txt
audit sqli, xss, csrf, lfi, rfi
output console, text_file
output config text_file
set output_file /tmp/w3af_scan.txt
back
back
start
Running Scripts¶
# Run w3af script
w3af_console -s scan_script.w3af
# Run with profile
w3af_console -p OWASP_TOP10
# Run in batch mode
echo "target; set target http://target.com/; back; start"|w3af_console
Python API Usage¶
#!/usr/bin/env python3
import w3af.core.controllers.w3afCore as w3afCore
import w3af.core.data.kb.knowledgeBase as kb
# Initialize w3af core
w3af = w3afCore.w3afCore()
# Set target
target_url = "http://target.com/"
w3af.target.set_target(target_url)
# Configure plugins
w3af.plugins.set_plugins(['web_spider'], 'discovery')
w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')
# Start scan
w3af.start()
# Get vulnerabilities
vulns = kb.kb.get_all_vulns()
for vuln in vulns:
print(f"Vulnerability: \\\\{vuln.get_name()\\\\}")
print(f"URL: \\\\{vuln.get_url()\\\\}")
print(f"Severity: \\\\{vuln.get_severity()\\\\}")
print("---")
Profiles and Templates¶
Built-in Profiles¶
# List available profiles
w3af>>> profiles
w3af>>> profiles use OWASP_TOP10
w3af>>> profiles use fast_scan
w3af>>> profiles use full_audit
# View profile configuration
w3af>>> profiles view OWASP_TOP10
Creating Custom Profiles¶
# Save current configuration as profile
w3af>>> profiles
w3af/profiles>>> save_as custom_profile
# Load custom profile
w3af/profiles>>> use custom_profile
w3af/profiles>>> back
Profile Configuration Files¶
# Create custom profile file (custom_scan.pw3af)
[target]
target = http://target.com/
[plugins]
discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit = sqli, xss, csrf, lfi, rfi, os_commanding
attack = sqlmap, file_upload
[discovery.web_spider]
only_forward = False
ignore_regex = .*\.(jpg|jpeg|png|gif|pdf|zip)$
[audit.sqli]
check_numeric = True
check_string = True
[output]
output = console, text_file
text_file.output_file = /tmp/custom_scan.txt
Integration with Other Tools¶
Burp Suite Integration¶
# Configure w3af to use Burp as proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> back
# Export findings to Burp format
w3af>>> plugins
w3af/plugins>>> output burp_export
w3af/plugins>>> back
Metasploit Integration¶
# Export vulnerabilities for Metasploit
w3af>>> plugins
w3af/plugins>>> output metasploit_export
w3af/plugins>>> output config metasploit_export
w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc
w3af/plugins/output/config:metasploit_export>>> back
w3af/plugins>>> back
# Use in Metasploit
msfconsole -r /tmp/w3af_msf.rc
OWASP ZAP Integration¶
# Export to ZAP format
w3af>>> plugins
w3af/plugins>>> output zap_export
w3af/plugins>>> output config zap_export
w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml
w3af/plugins/output/config:zap_export>>> back
w3af/plugins>>> back
Performance Optimization¶
Threading Configuration¶
# Configure threading
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_discovery_time 600
w3af/config:misc-settings>>> set max_scan_time 3600
w3af/config:misc-settings>>> set thread_number 10
w3af/config:misc-settings>>> back
Memory Management¶
```bash
Configure memory settings¶
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 1000000
w3af/config:misc-settings>>> set max_requests_per_second 20
w3af/config:misc-settings>>> back
### Limitación de Tasabash
Configure rate limiting¶
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 5
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
## Resolución de Problemasbash
SSL certificate issues¶
w3af>>> http-settings w3af/config:http-settings>>> set ignore_session_cookies True w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt w3af/config:http-settings>>> back
Memory issues¶
w3af>>> misc-settings w3af/config:misc-settings>>> set max_file_size 500000 w3af/config:misc-settings>>> set thread_number 5 w3af/config:misc-settings>>> back
Timeout issues¶
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 60
w3af/config:http-settings>>> set max_http_retries 5
w3af/config:http-settings>>> back
### Modo de Depuraciónbash
Enable debug output¶
w3af>>> misc-settings w3af/config:misc-settings>>> set debug True w3af/config:misc-settings>>> back
View debug information¶
w3af>>> kb
w3af/kb>>> list vulns
w3af/kb>>> list info
w3af/kb>>> back
### Análisis de Registrosbash
View w3af logs¶
tail -f ~/.w3af/w3af.log
Enable verbose logging¶
w3af>>> misc-settings w3af/config:misc-settings>>> set verbose True w3af/config:misc-settings>>> back ```## Mejores Prácticas
Estrategia de Escaneo```bash¶
Optimized configuration for large applications¶
w3af>>> misc-settings w3af/config:misc-settings>>> set thread_number 15 w3af/config:misc-settings>>> set max_discovery_time 1800 w3af/config:misc-settings>>> set max_scan_time 7200 w3af/config:misc-settings>>> back
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
**Comenzar con descubrimiento**: Usar primero plugins de descubrimiento completosbash
Stealth configuration¶
w3af>>> http-settings w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" w3af/config:http-settings>>> set max_requests_per_second 2 w3af/config:http-settings>>> set timeout 45 w3af/config:http-settings>>> back
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 3
w3af/config:misc-settings>>> back
**Auditoría dirigida**: Enfocar plugins de auditoría en la superficie de ataque descubiertabash
!/bin/bash¶
TARGET=\(1 OUTPUT_DIR="w3af_results_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_DIR
Create w3af script¶
cat > "$OUTPUT_DIR/scan.w3af" << EOF target set target $TARGET back
plugins discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath output console, text_file, html_file output config text_file set output_file $OUTPUT_DIR/w3af_report.txt back output config html_file set output_file $OUTPUT_DIR/w3af_report.html back back
start EOF
Run scan¶
echo "[+] Starting w3af scan for \(TARGET" w3af_console -s "\)OUTPUT_DIR/scan.w3af"
echo "[+] Scan complete. Results saved in $OUTPUT_DIR/"
**Escalación gradual**: Comenzar con plugins seguros, luego pasar a los intrusivosbash
!/bin/bash¶
TARGETS_FILE=\(1 OUTPUT_BASE="w3af_batch_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGETS_FILE" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_BASE
while read target; do if [ ! -z "\(target" ]; then echo "[+] Scanning \(target" target_dir="\)OUTPUT_BASE/\)(echo \(target|sed 's|https\?://||'|sed 's|/|_|g')" mkdir -p "\)target_dir"
cat > "$target_dir/scan.w3af" << EOF
target set target $target back
plugins discovery web_spider, dir_file_bruter audit sqli, xss, csrf output text_file output config text_file set output_file $target_dir/report.txt back back
start EOF
w3af_console -s "$target_dir/scan.w3af"
fi
done < $TARGETS_FILE
echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/" ```Actualizaciones regulares: Mantener w3af y sus plugins actualizadoshttps://github.com/andresriancho/w3af**Cargas personalizadas**: Crear cargas personalizadas para aplicaciones específicas
Consideraciones de Rendimiento¶
Escaneo Sigiloso¶
https://owasp.org/www-project-web-security-testing-guide/
Scripts de Automatización¶
Script de Escaneo Completo¶
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/