Foglio Informativo di W3af Web Application Attack Framework

📋 Copy All Commands 📄 Generate PDF

Panoramica

W3af (Web Application Attack and Audit Framework) è un completo scanner di sicurezza per applicazioni web open-source. Fornisce un framework completo per trovare ed eseguire exploit di vulnerabilità delle applicazioni web, con plugin di scoperta, audit e attacco per valutazioni di sicurezza approfondite.

⚠️ Avvertenza: Questo strumento è destinato esclusivamente a test di penetrazione autorizzati e valutazioni di sicurezza. Assicurati di avere l'autorizzazione prima di utilizzarlo su qualsiasi target.

Installazione

Installazione su Ubuntu/Debian

# Install dependencies
sudo apt update
sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools

# Install w3af
git clone https://github.com/andresriancho/w3af.git
cd w3af

# Install Python dependencies
pip3 install -r requirements.txt

# Run dependency check
python3 w3af_console

# Install missing dependencies if prompted
./w3af_dependency_install.sh

Installazione Manuale

# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af

# Install dependencies manually
sudo apt install python3-pip python3-dev python3-setuptools
sudo apt install libxml2-dev libxslt1-dev zlib1g-dev
sudo apt install libyaml-dev libssl-dev libffi-dev

# Install Python packages
pip3 install --user -r requirements.txt

# Test installation
python3 w3af_console

Installazione Docker

# Pull Docker image
docker pull andresriancho/w3af

# Run with Docker
docker run -it andresriancho/w3af

# Run with volume mount
docker run -it -v $(pwd):/tmp/w3af andresriancho/w3af

Kali Linux

# W3af is pre-installed in Kali
w3af_console

# If not installed
sudo apt update
sudo apt install w3af

Utilizzo Base

Interfaccia Console

# Start w3af console
w3af_console

# GUI interface (if available)
w3af_gui

# Help commands
w3af>>> help
w3af>>> help plugins
w3af>>> help target

Comandi Base

# Set target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> back

# View current configuration
w3af>>> target view

# Start scan
w3af>>> start

# Exit
w3af>>> exit

Categorie di Plugin

Plugin di Scoperta

Plugin	Descrizione
web_spider	Spider di applicazione web
dir_file_bruter	Directory e file brute forcer
dns_wildcard	Rilevamento wildcard DNS
robots_txt	Analizzatore Robots.txt
sitemap_xml	Parser di Sitemap.xml
google_spider	Spider di ricerca di Google
bing_spider	Ragno di ricerca Bing
### Plugin di Audit
Plugin	Descrizione
--------	-------------
sqli	Rilevamento di SQL injection
xss	Rilevamento di cross-site scripting
csrf	Cross-site request forgery
lfi	Inclusione di file locali
rfi	Inclusione remota di file
os_commanding	Iniezione di comandi del sistema operativo
xpath	Iniezione XPath
ldapi	Iniezione LDAP
### Plugin di Attacco
Plugin	Descrizione
--------	-------------
sqlmap	Sfruttamento dell'SQL injection
shell_shock	Sfruttamento di Shellshock
file_upload	Sfruttamento del caricamento di file
dav	Sfruttamento di WebDAV
rfi	Sfruttamento dell'inclusione di file remoti
## Configurazione e Setup

Configurazione Base

# Configure target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> set target_os unix
w3af/config:target>>> set target_framework php
w3af/config:target>>> back

# Configure HTTP settings
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)"
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> back

Configurazione Autenticazione

# Basic authentication
w3af>>> http-settings
w3af/config:http-settings>>> set basic_auth_user username
w3af/config:http-settings>>> set basic_auth_passwd password
w3af/config:http-settings>>> set basic_auth_domain target.com
w3af/config:http-settings>>> back

# Cookie authentication
w3af>>> http-settings
w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token"
w3af/config:http-settings>>> back

# Custom headers
w3af>>> http-settings
w3af/config:http-settings>>> set headers "Authorization: Bearer token123"
w3af/config:http-settings>>> back

Configurazione Proxy

# Configure proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> set proxy_username proxy_user
w3af/config:http-settings>>> set proxy_password proxy_pass
w3af/config:http-settings>>> back

Fase di Scoperta

Configurazione Web Spider

# Configure web spider
w3af>>> plugins
w3af/plugins>>> discovery web_spider
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward True
w3af/plugins/discovery/config:web_spider>>> set ignore_regex ".*\.(jpg|jpeg|png|gif|pdf|zip)$"
w3af/plugins/discovery/config:web_spider>>> set follow_regex ".*"
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back

Forza Bruta Directory

# Configure directory brute forcer
w3af>>> plugins
w3af/plugins>>> discovery dir_file_bruter
w3af/plugins>>> discovery config dir_file_bruter
w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt
w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js
w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True
w3af/plugins/discovery/config:dir_file_bruter>>> back
w3af/plugins>>> back

Setup Scoperta Completo

# Enable multiple discovery plugins
w3af>>> plugins
w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward False
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back

Fase di Audit

Rilevamento SQL Injection

# Configure SQL injection plugin
w3af>>> plugins
w3af/plugins>>> audit sqli
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set check_numeric True
w3af/plugins/audit/config:sqli>>> set check_string True
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back

Cross-Site Scripting (XSS)

# Configure XSS plugin
w3af>>> plugins
w3af/plugins>>> audit xss
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> set check_persistent_xss True
w3af/plugins/audit/config:xss>>> set check_reflected_xss True
w3af/plugins/audit/config:xss>>> back
w3af/plugins>>> back

Vulnerabilità di Inclusione File

# Configure LFI/RFI plugins
w3af>>> plugins
w3af/plugins>>> audit lfi, rfi
w3af/plugins>>> audit config lfi
w3af/plugins/audit/config:lfi>>> set use_time_delay True
w3af/plugins/audit/config:lfi>>> set use_echo True
w3af/plugins/audit/config:lfi>>> back
w3af/plugins>>> back

Setup Audit Completo

Would you like me to continue with the remaining sections?```bash

Enable all major audit plugins

w3af>>> plugins w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi w3af/plugins>>> back

## Attack Phase

### SQL Injection Exploitation
```bash
# Configure SQLMap integration
w3af>>> plugins
w3af/plugins>>> attack sqlmap
w3af/plugins>>> attack config sqlmap
w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap
w3af/plugins/attack/config:sqlmap>>> set exploit_all True
w3af/plugins/attack/config:sqlmap>>> back
w3af/plugins>>> back

File Upload Exploitation

# Configure file upload attack
w3af>>> plugins
w3af/plugins>>> attack file_upload
w3af/plugins>>> attack config file_upload
w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp
w3af/plugins/attack/config:file_upload>>> back
w3af/plugins>>> back

Shell Access

# Configure shell access
w3af>>> plugins
w3af/plugins>>> attack shell_shock
w3af/plugins>>> back

# After successful exploitation
w3af>>> exploit
w3af>>> shell
shell>>> whoami
shell>>> pwd
shell>>> exit

Output and Reporting

Output Configuration

# Configure output plugins
w3af>>> plugins
w3af/plugins>>> output console, text_file, html_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
w3af/plugins>>> back

HTML Report Generation

# Configure HTML report
w3af>>> plugins
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html
w3af/plugins/output/config:html_file>>> back
w3af/plugins>>> back

XML Report Generation

# Configure XML report
w3af>>> plugins
w3af/plugins>>> output xml_file
w3af/plugins>>> output config xml_file
w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml
w3af/plugins/output/config:xml_file>>> back
w3af/plugins>>> back

Advanced Configuration

Custom Payloads

# Create custom payload file
echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt

# Configure custom payloads
w3af>>> plugins
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back

Form Authentication

# Configure form authentication
w3af>>> plugins
w3af/plugins>>> discovery form_auth
w3af/plugins>>> discovery config form_auth
w3af/plugins/discovery/config:form_auth>>> set username admin
w3af/plugins/discovery/config:form_auth>>> set password password123
w3af/plugins/discovery/config:form_auth>>> set username_field username
w3af/plugins/discovery/config:form_auth>>> set password_field password
w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php
w3af/plugins/discovery/config:form_auth>>> back
w3af/plugins>>> back

Session Management

# Configure session handling
w3af>>> http-settings
w3af/config:http-settings>>> set max_file_size 1000000
w3af/config:http-settings>>> set max_http_retries 3
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file /path/to/headers.txt
w3af/config:http-settings>>> back

Scripting and Automation

W3af Script Files

# Create w3af script file (scan_script.w3af)
target
set target http://target.com/
back

plugins
discovery web_spider, dir_file_bruter, robots_txt
audit sqli, xss, csrf, lfi, rfi
output console, text_file
output config text_file
set output_file /tmp/w3af_scan.txt
back
back

start

Running Scripts

# Run w3af script
w3af_console -s scan_script.w3af

# Run with profile
w3af_console -p OWASP_TOP10

# Run in batch mode
echo "target; set target http://target.com/; back; start"|w3af_console

Python API Usage

#!/usr/bin/env python3
import w3af.core.controllers.w3afCore as w3afCore
import w3af.core.data.kb.knowledgeBase as kb

# Initialize w3af core
w3af = w3afCore.w3afCore()

# Set target
target_url = "http://target.com/"
w3af.target.set_target(target_url)

# Configure plugins
w3af.plugins.set_plugins(['web_spider'], 'discovery')
w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')

# Start scan
w3af.start()

# Get vulnerabilities
vulns = kb.kb.get_all_vulns()
for vuln in vulns:
    print(f"Vulnerability: \\\\{vuln.get_name()\\\\}")
    print(f"URL: \\\\{vuln.get_url()\\\\}")
    print(f"Severity: \\\\{vuln.get_severity()\\\\}")
    print("---")

Profiles and Templates

Built-in Profiles

# List available profiles
w3af>>> profiles
w3af>>> profiles use OWASP_TOP10
w3af>>> profiles use fast_scan
w3af>>> profiles use full_audit

# View profile configuration
w3af>>> profiles view OWASP_TOP10

Creating Custom Profiles

# Save current configuration as profile
w3af>>> profiles
w3af/profiles>>> save_as custom_profile

# Load custom profile
w3af/profiles>>> use custom_profile
w3af/profiles>>> back

Profile Configuration Files

# Create custom profile file (custom_scan.pw3af)
[target]
target = http://target.com/

[plugins]
discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit = sqli, xss, csrf, lfi, rfi, os_commanding
attack = sqlmap, file_upload

[discovery.web_spider]
only_forward = False
ignore_regex = .*\.(jpg|jpeg|png|gif|pdf|zip)$

[audit.sqli]
check_numeric = True
check_string = True

[output]
output = console, text_file
text_file.output_file = /tmp/custom_scan.txt

Integration with Other Tools

Burp Suite Integration

# Configure w3af to use Burp as proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> back

# Export findings to Burp format
w3af>>> plugins
w3af/plugins>>> output burp_export
w3af/plugins>>> back

Metasploit Integration

# Export vulnerabilities for Metasploit
w3af>>> plugins
w3af/plugins>>> output metasploit_export
w3af/plugins>>> output config metasploit_export
w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc
w3af/plugins/output/config:metasploit_export>>> back
w3af/plugins>>> back

# Use in Metasploit
msfconsole -r /tmp/w3af_msf.rc

OWASP ZAP Integration

# Export to ZAP format
w3af>>> plugins
w3af/plugins>>> output zap_export
w3af/plugins>>> output config zap_export
w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml
w3af/plugins/output/config:zap_export>>> back
w3af/plugins>>> back

Performance Optimization

Threading Configuration

# Configure threading
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_discovery_time 600
w3af/config:misc-settings>>> set max_scan_time 3600
w3af/config:misc-settings>>> set thread_number 10
w3af/config:misc-settings>>> back

Memory Management

```bash

Configure memory settings

w3af>>> misc-settings w3af/config:misc-settings>>> set max_file_size 1000000 w3af/config:misc-settings>>> set max_requests_per_second 20 w3af/config:misc-settings>>> back ### Limitazione delle Richiestebash

Configure rate limiting

w3af>>> http-settings w3af/config:http-settings>>> set max_requests_per_second 5 w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> back ## Risoluzione dei Problemibash

SSL certificate issues

w3af>>> http-settings w3af/config:http-settings>>> set ignore_session_cookies True w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt w3af/config:http-settings>>> back

Memory issues

w3af>>> misc-settings w3af/config:misc-settings>>> set max_file_size 500000 w3af/config:misc-settings>>> set thread_number 5 w3af/config:misc-settings>>> back

Timeout issues

w3af>>> http-settings w3af/config:http-settings>>> set timeout 60 w3af/config:http-settings>>> set max_http_retries 5 w3af/config:http-settings>>> back ### Modalità Debugbash

Enable debug output

w3af>>> misc-settings w3af/config:misc-settings>>> set debug True w3af/config:misc-settings>>> back

View debug information

w3af>>> kb w3af/kb>>> list vulns w3af/kb>>> list info w3af/kb>>> back ### Analisi dei Logbash

View w3af logs

tail -f ~/.w3af/w3af.log

Enable verbose logging

w3af>>> misc-settings w3af/config:misc-settings>>> set verbose True w3af/config:misc-settings>>> back ```## Migliori Pratiche

Strategia di Scansione```bash

Optimized configuration for large applications

w3af>>> misc-settings w3af/config:misc-settings>>> set thread_number 15 w3af/config:misc-settings>>> set max_discovery_time 1800 w3af/config:misc-settings>>> set max_scan_time 7200 w3af/config:misc-settings>>> back

w3af>>> http-settings w3af/config:http-settings>>> set max_requests_per_second 10 w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> back **Inizia con la scoperta**: Utilizza prima plugin di scoperta completibash

Stealth configuration

w3af>>> http-settings w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" w3af/config:http-settings>>> set max_requests_per_second 2 w3af/config:http-settings>>> set timeout 45 w3af/config:http-settings>>> back

w3af>>> misc-settings w3af/config:misc-settings>>> set thread_number 3 w3af/config:misc-settings>>> back **Audit mirato**: Concentra i plugin di audit sulla superficie di attacco scopertabash

!/bin/bash

TARGET=\(1 OUTPUT_DIR="w3af_results_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p $OUTPUT_DIR

Create w3af script

cat > "$OUTPUT_DIR/scan.w3af" << EOF target set target $TARGET back

plugins discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath output console, text_file, html_file output config text_file set output_file $OUTPUT_DIR/w3af_report.txt back output config html_file set output_file $OUTPUT_DIR/w3af_report.html back back

start EOF

Run scan

echo "[+] Starting w3af scan for \(TARGET" w3af_console -s "\)OUTPUT_DIR/scan.w3af"

echo "[+] Scan complete. Results saved in $OUTPUT_DIR/" **Escalation graduale**: Inizia con plugin sicuri, poi passa a quelli invasivibash

!/bin/bash

TARGETS_FILE=\(1 OUTPUT_BASE="w3af_batch_\)(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGETS_FILE" ]; then echo "Usage: $0 " exit 1 fi

mkdir -p $OUTPUT_BASE

while read target; do if [ ! -z "\(target" ]; then echo "[+] Scanning \(target" target_dir="\)OUTPUT_BASE/\)(echo \(target|sed 's|https\?://||'|sed 's|/|_|g')" mkdir -p "\)target_dir"

    cat > "$target_dir/scan.w3af" << EOF

target set target $target back

plugins discovery web_spider, dir_file_bruter audit sqli, xss, csrf output text_file output config text_file set output_file $target_dir/report.txt back back

start EOF

    w3af_console -s "$target_dir/scan.w3af"
fi

done < $TARGETS_FILE

echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/" ```Aggiornamenti regolari: Mantieni w3af e i suoi plugin aggiornatihttps://github.com/andresriancho/w3af Payload personalizzati: Crea payload personalizzati per applicazioni specifiche

Considerazioni sulle Prestazioni

http://docs.w3af.org/##

Scansione Furtiva

https://owasp.org/www-project-web-security-testing-guide/#

Script di Automazione

Script di Scansione Completa

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/##

Script di Scansione Batch