W3af Web Application Attack Framework Cheat Sheet
"Clase de la hoja" idbutton id="w3af-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="w3af-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
W3af (Web Application Attack and Audit Framework) es un completo escáner de seguridad de aplicaciones web de código abierto. Proporciona un marco completo para encontrar y explotar vulnerabilidades de aplicaciones web, con plugins de descubrimiento, auditoría y ataque para evaluaciones exhaustivas de seguridad.
NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación
Instalación Ubuntu/Debian
# Install dependencies
sudo apt update
sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools
# Install w3af
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install Python dependencies
pip3 install -r requirements.txt
# Run dependency check
python3 w3af_console
# Install missing dependencies if prompted
./w3af_dependency_install.sh
Instalación manual
# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install dependencies manually
sudo apt install python3-pip python3-dev python3-setuptools
sudo apt install libxml2-dev libxslt1-dev zlib1g-dev
sudo apt install libyaml-dev libssl-dev libffi-dev
# Install Python packages
pip3 install --user -r requirements.txt
# Test installation
python3 w3af_console
Docker Instalación
# Pull Docker image
docker pull andresriancho/w3af
# Run with Docker
docker run -it andresriancho/w3af
# Run with volume mount
docker run -it -v $(pwd):/tmp/w3af andresriancho/w3af
Kali Linux
# W3af is pre-installed in Kali
w3af_console
# If not installed
sudo apt update
sudo apt install w3af
Uso básico
Interfaz de consola
# Start w3af console
w3af_console
# GUI interface (if available)
w3af_gui
# Help commands
w3af>>> help
w3af>>> help plugins
w3af>>> help target
Comandos básicos
# Set target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> back
# View current configuration
w3af>>> target view
# Start scan
w3af>>> start
# Exit
w3af>>> exit
Categorías de Plugin
Plugins Discovery
| Plugin | Description |
|---|---|
web_spider |
Web application spider |
dir_file_bruter |
Directory and file brute forcer |
dns_wildcard |
DNS wildcard detection |
robots_txt |
Robots.txt analyzer |
sitemap_xml |
Sitemap.xml parser |
google_spider |
Google search spider |
bing_spider |
Bing search spider |
Plugins de auditoría
| Plugin | Description |
|---|---|
sqli |
SQL injection detection |
xss |
Cross-site scripting detection |
csrf |
Cross-site request forgery |
lfi |
Local file inclusion |
rfi |
Remote file inclusion |
os_commanding |
OS command injection |
xpath |
XPath injection |
ldapi |
LDAP injection |
Plugins de ataque
| Plugin | Description |
|---|---|
sqlmap |
SQL injection exploitation |
shell_shock |
Shellshock exploitation |
file_upload |
File upload exploitation |
dav |
WebDAV exploitation |
rfi |
Remote file inclusion exploitation |
Configuración y configuración
Configuración básica
# Configure target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> set target_os unix
w3af/config:target>>> set target_framework php
w3af/config:target>>> back
# Configure HTTP settings
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)"
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> back
Configuración de autenticación
# Basic authentication
w3af>>> http-settings
w3af/config:http-settings>>> set basic_auth_user username
w3af/config:http-settings>>> set basic_auth_passwd password
w3af/config:http-settings>>> set basic_auth_domain target.com
w3af/config:http-settings>>> back
# Cookie authentication
w3af>>> http-settings
w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token"
w3af/config:http-settings>>> back
# Custom headers
w3af>>> http-settings
w3af/config:http-settings>>> set headers "Authorization: Bearer token123"
w3af/config:http-settings>>> back
Configuración Proxy
# Configure proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> set proxy_username proxy_user
w3af/config:http-settings>>> set proxy_password proxy_pass
w3af/config:http-settings>>> back
Discovery Phase
Configuración de araña web
# Configure web spider
w3af>>> plugins
w3af/plugins>>> discovery web_spider
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward True
w3af/plugins/discovery/config:web_spider>>> set ignore_regex ".*\.(jpg|jpeg|png|gif|pdf|zip)$"
w3af/plugins/discovery/config:web_spider>>> set follow_regex ".*"
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back
Directorio Brute Force
# Configure directory brute forcer
w3af>>> plugins
w3af/plugins>>> discovery dir_file_bruter
w3af/plugins>>> discovery config dir_file_bruter
w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt
w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js
w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True
w3af/plugins/discovery/config:dir_file_bruter>>> back
w3af/plugins>>> back
Configuración completa de descubrimientos
# Enable multiple discovery plugins
w3af>>> plugins
w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward False
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back
Fase de auditoría
Detección de inyección SQL
# Configure SQL injection plugin
w3af>>> plugins
w3af/plugins>>> audit sqli
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set check_numeric True
w3af/plugins/audit/config:sqli>>> set check_string True
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back
Scripting cruzado (XSS)
# Configure XSS plugin
w3af>>> plugins
w3af/plugins>>> audit xss
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> set check_persistent_xss True
w3af/plugins/audit/config:xss>>> set check_reflected_xss True
w3af/plugins/audit/config:xss>>> back
w3af/plugins>>> back
Inclusión de archivos Vulnerabilidades
# Configure LFI/RFI plugins
w3af>>> plugins
w3af/plugins>>> audit lfi, rfi
w3af/plugins>>> audit config lfi
w3af/plugins/audit/config:lfi>>> set use_time_delay True
w3af/plugins/audit/config:lfi>>> set use_echo True
w3af/plugins/audit/config:lfi>>> back
w3af/plugins>>> back
Configuración integral de auditoría
# Enable all major audit plugins
w3af>>> plugins
w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi
w3af/plugins>>> back
Fase de ataque
Explotación de inyección SQL
# Configure SQLMap integration
w3af>>> plugins
w3af/plugins>>> attack sqlmap
w3af/plugins>>> attack config sqlmap
w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap
w3af/plugins/attack/config:sqlmap>>> set exploit_all True
w3af/plugins/attack/config:sqlmap>>> back
w3af/plugins>>> back
Explotación de carga de archivo
# Configure file upload attack
w3af>>> plugins
w3af/plugins>>> attack file_upload
w3af/plugins>>> attack config file_upload
w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp
w3af/plugins/attack/config:file_upload>>> back
w3af/plugins>>> back
Acceso Shell
# Configure shell access
w3af>>> plugins
w3af/plugins>>> attack shell_shock
w3af/plugins>>> back
# After successful exploitation
w3af>>> exploit
w3af>>> shell
shell>>> whoami
shell>>> pwd
shell>>> exit
Productos y presentación de informes
Configuración de salida
# Configure output plugins
w3af>>> plugins
w3af/plugins>>> output console, text_file, html_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
w3af/plugins>>> back
Generación de informes HTML
# Configure HTML report
w3af>>> plugins
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html
w3af/plugins/output/config:html_file>>> back
w3af/plugins>>> back
XML Report Generation
# Configure XML report
w3af>>> plugins
w3af/plugins>>> output xml_file
w3af/plugins>>> output config xml_file
w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml
w3af/plugins/output/config:xml_file>>> back
w3af/plugins>>> back
Configuración avanzada
Cargas de pago personalizadas
# Create custom payload file
echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt
# Configure custom payloads
w3af>>> plugins
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back
Autenticación del formulario
# Configure form authentication
w3af>>> plugins
w3af/plugins>>> discovery form_auth
w3af/plugins>>> discovery config form_auth
w3af/plugins/discovery/config:form_auth>>> set username admin
w3af/plugins/discovery/config:form_auth>>> set password password123
w3af/plugins/discovery/config:form_auth>>> set username_field username
w3af/plugins/discovery/config:form_auth>>> set password_field password
w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php
w3af/plugins/discovery/config:form_auth>>> back
w3af/plugins>>> back
Gestión del período de sesiones
# Configure session handling
w3af>>> http-settings
w3af/config:http-settings>>> set max_file_size 1000000
w3af/config:http-settings>>> set max_http_retries 3
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file /path/to/headers.txt
w3af/config:http-settings>>> back
Escritura y automatización
W3af Script Files
# Create w3af script file (scan_script.w3af)
target
set target http://target.com/
back
plugins
discovery web_spider, dir_file_bruter, robots_txt
audit sqli, xss, csrf, lfi, rfi
output console, text_file
output config text_file
set output_file /tmp/w3af_scan.txt
back
back
start
Scripts que corren
# Run w3af script
w3af_console -s scan_script.w3af
# Run with profile
w3af_console -p OWASP_TOP10
# Run in batch mode
echo "target; set target http://target.com/; back; start"|w3af_console
Python API Usage
#!/usr/bin/env python3
import w3af.core.controllers.w3afCore as w3afCore
import w3af.core.data.kb.knowledgeBase as kb
# Initialize w3af core
w3af = w3afCore.w3afCore()
# Set target
target_url = "http://target.com/"
w3af.target.set_target(target_url)
# Configure plugins
w3af.plugins.set_plugins(['web_spider'], 'discovery')
w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')
# Start scan
w3af.start()
# Get vulnerabilities
vulns = kb.kb.get_all_vulns()
for vuln in vulns:
print(f"Vulnerability: \\\\{vuln.get_name()\\\\}")
print(f"URL: \\\\{vuln.get_url()\\\\}")
print(f"Severity: \\\\{vuln.get_severity()\\\\}")
print("---")
Perfiles y Plantillas
Perfiles incorporados
# List available profiles
w3af>>> profiles
w3af>>> profiles use OWASP_TOP10
w3af>>> profiles use fast_scan
w3af>>> profiles use full_audit
# View profile configuration
w3af>>> profiles view OWASP_TOP10
Creación de perfiles personalizados
# Save current configuration as profile
w3af>>> profiles
w3af/profiles>>> save_as custom_profile
# Load custom profile
w3af/profiles>>> use custom_profile
w3af/profiles>>> back
Archivos de configuración del perfil
# Create custom profile file (custom_scan.pw3af)
[target]
target = http://target.com/
[plugins]
discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit = sqli, xss, csrf, lfi, rfi, os_commanding
attack = sqlmap, file_upload
[discovery.web_spider]
only_forward = False
ignore_regex = .*\.(jpg|jpeg|png|gif|pdf|zip)$
[audit.sqli]
check_numeric = True
check_string = True
[output]
output = console, text_file
text_file.output_file = /tmp/custom_scan.txt
Integración con otras herramientas
Burp Suite Integration
# Configure w3af to use Burp as proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> back
# Export findings to Burp format
w3af>>> plugins
w3af/plugins>>> output burp_export
w3af/plugins>>> back
Integración Metasploit
# Export vulnerabilities for Metasploit
w3af>>> plugins
w3af/plugins>>> output metasploit_export
w3af/plugins>>> output config metasploit_export
w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc
w3af/plugins/output/config:metasploit_export>>> back
w3af/plugins>>> back
# Use in Metasploit
msfconsole -r /tmp/w3af_msf.rc
OWASP ZAP Integración
# Export to ZAP format
w3af>>> plugins
w3af/plugins>>> output zap_export
w3af/plugins>>> output config zap_export
w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml
w3af/plugins/output/config:zap_export>>> back
w3af/plugins>>> back
Optimización del rendimiento
Configuración de impulso
# Configure threading
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_discovery_time 600
w3af/config:misc-settings>>> set max_scan_time 3600
w3af/config:misc-settings>>> set thread_number 10
w3af/config:misc-settings>>> back
Gestión de memoria
# Configure memory settings
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 1000000
w3af/config:misc-settings>>> set max_requests_per_second 20
w3af/config:misc-settings>>> back
Tasa de limitación
# Configure rate limiting
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 5
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
Solución de problemas
Cuestiones comunes
# SSL certificate issues
w3af>>> http-settings
w3af/config:http-settings>>> set ignore_session_cookies True
w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt
w3af/config:http-settings>>> back
# Memory issues
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 500000
w3af/config:misc-settings>>> set thread_number 5
w3af/config:misc-settings>>> back
# Timeout issues
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 60
w3af/config:http-settings>>> set max_http_retries 5
w3af/config:http-settings>>> back
Modo de depuración
# Enable debug output
w3af>>> misc-settings
w3af/config:misc-settings>>> set debug True
w3af/config:misc-settings>>> back
# View debug information
w3af>>> kb
w3af/kb>>> list vulns
w3af/kb>>> list info
w3af/kb>>> back
Análisis de registros
# View w3af logs
tail -f ~/.w3af/w3af.log
# Enable verbose logging
w3af>>> misc-settings
w3af/config:misc-settings>>> set verbose True
w3af/config:misc-settings>>> back
Buenas prácticas
Scanning Strategy
- Empieza con el descubrimiento Use plugins de descubrimiento completo primero
- Audición conjunta: plugins de auditoría focal en superficie de ataque descubierto
- La escalada gradual: Empieza con plugins seguros, luego muévete a los intrusivos
- ** Actualizaciones periódicas**: Mantener w3af y sus plugins actualizados
- Cargas de pago personalizadas: Crear cargas de pago personalizadas para aplicaciones específicas
Consideraciones de la ejecución
# Optimized configuration for large applications
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 15
w3af/config:misc-settings>>> set max_discovery_time 1800
w3af/config:misc-settings>>> set max_scan_time 7200
w3af/config:misc-settings>>> back
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
Escáner de integridad
# Stealth configuration
w3af>>> http-settings
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
w3af/config:http-settings>>> set max_requests_per_second 2
w3af/config:http-settings>>> set timeout 45
w3af/config:http-settings>>> back
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 3
w3af/config:misc-settings>>> back
Scripts de automatización
Escáner completo
#!/bin/bash
TARGET=$1
OUTPUT_DIR="w3af_results_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
mkdir -p $OUTPUT_DIR
# Create w3af script
cat > "$OUTPUT_DIR/scan.w3af" << EOF
target
set target $TARGET
back
plugins
discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath
output console, text_file, html_file
output config text_file
set output_file $OUTPUT_DIR/w3af_report.txt
back
output config html_file
set output_file $OUTPUT_DIR/w3af_report.html
back
back
start
EOF
# Run scan
echo "[+] Starting w3af scan for $TARGET"
w3af_console -s "$OUTPUT_DIR/scan.w3af"
echo "[+] Scan complete. Results saved in $OUTPUT_DIR/"
```_
### Escaneo de lotes Script
```bash
#!/bin/bash
TARGETS_FILE=$1
OUTPUT_BASE="w3af_batch_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGETS_FILE" ]; then
echo "Usage: $0 <targets_file>"
exit 1
fi
mkdir -p $OUTPUT_BASE
while read target; do
if [ ! -z "$target" ]; then
echo "[+] Scanning $target"
target_dir="$OUTPUT_BASE/$(echo $target|sed 's|https\?://||'|sed 's|/|_|g')"
mkdir -p "$target_dir"
cat > "$target_dir/scan.w3af" << EOF
target
set target $target
back
plugins
discovery web_spider, dir_file_bruter
audit sqli, xss, csrf
output text_file
output config text_file
set output_file $target_dir/report.txt
back
back
start
EOF
w3af_console -s "$target_dir/scan.w3af"
fi
done < $TARGETS_FILE
echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/"
Recursos
- W3af GitHub Repository
- W3af Documentation
- Guía de Pruebas de la OPEP
- Pruebas de seguridad de la aplicación web
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de W3af. Siempre asegúrese de tener una autorización adecuada antes de realizar las pruebas de seguridad de aplicaciones web. *