Folha de Dicas do W3af Web Application Attack Framework
Visão Geral
W3af (Web Application Attack and Audit Framework) é um scanner de segurança de aplicações web abrangente e de código aberto. Ele fornece uma estrutura completa para encontrar e explorar vulnerabilidades em aplicações web, com plugins de descoberta, auditoria e ataque para avaliações de segurança abrangentes.
⚠️ Aviso: Esta ferramenta destina-se apenas a testes de penetração autorizados e avaliações de segurança. Certifique-se de ter autorização adequada antes de usar contra qualquer alvo.
Instalação
Instalação no Ubuntu/Debian
# Install dependencies
sudo apt update
sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools
# Install w3af
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install Python dependencies
pip3 install -r requirements.txt
# Run dependency check
python3 w3af_console
# Install missing dependencies if prompted
./w3af_dependency_install.shInstalação Manual
# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install dependencies manually
sudo apt install python3-pip python3-dev python3-setuptools
sudo apt install libxml2-dev libxslt1-dev zlib1g-dev
sudo apt install libyaml-dev libssl-dev libffi-dev
# Install Python packages
pip3 install --user -r requirements.txt
# Test installation
python3 w3af_consoleInstalação com Docker
# Pull Docker image
docker pull andresriancho/w3af
# Run with Docker
docker run -it andresriancho/w3af
# Run with volume mount
docker run -it -v $(pwd):/tmp/w3af andresriancho/w3afKali Linux
# W3af is pre-installed in Kali
w3af_console
# If not installed
sudo apt update
sudo apt install w3afUso Básico
Interface de Console
# Start w3af console
w3af_console
# GUI interface (if available)
w3af_gui
# Help commands
w3af>>> help
w3af>>> help plugins
w3af>>> help targetComandos Básicos
# Set target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> back
# View current configuration
w3af>>> target view
# Start scan
w3af>>> start
# Exit
w3af>>> exitCategorias de Plugins
Plugins de Descoberta
| Plugin | Descrição |
|---|---|
web_spider | Aranha de aplicação web |
dir_file_bruter | Forçador de diretórios e arquivos |
dns_wildcard | Detecção de wildcard DNS |
robots_txt | Analisador de Robots.txt |
sitemap_xml | Analisador de Sitemap.xml |
google_spider | Aranha de busca do Google |
bing_spider | Aranha de busca do Bing |
Plugins de Auditoria
| Plugin | Descrição |
|---|---|
sqli | Detecção de injeção de SQL |
xss | Detecção de cross-site scripting |
csrf | Falsificação de solicitação entre sites (Cross-site request forgery) |
lfi | Inclusão de arquivo local |
rfi | Inclusão remota de arquivo |
os_commanding | Injeção de comando do sistema operacional |
xpath | Injeção de XPath |
ldapi | Injeção LDAP |
Plugins de Ataque
| Plugin | Descrição |
|---|---|
sqlmap | Exploração de injeção de SQL |
shell_shock | Exploração do Shellshock |
file_upload | Exploração de upload de arquivo |
dav | Exploração de WebDAV |
rfi | Exploração de inclusão remota de arquivos |
Configuração e Instalação
Configuração Básica
# Configure target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> set target_os unix
w3af/config:target>>> set target_framework php
w3af/config:target>>> back
# Configure HTTP settings
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)"
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> backConfiguração de Autenticação
# Basic authentication
w3af>>> http-settings
w3af/config:http-settings>>> set basic_auth_user username
w3af/config:http-settings>>> set basic_auth_passwd password
w3af/config:http-settings>>> set basic_auth_domain target.com
w3af/config:http-settings>>> back
# Cookie authentication
w3af>>> http-settings
w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token"
w3af/config:http-settings>>> back
# Custom headers
w3af>>> http-settings
w3af/config:http-settings>>> set headers "Authorization: Bearer token123"
w3af/config:http-settings>>> backConfiguração de Proxy
# Configure proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> set proxy_username proxy_user
w3af/config:http-settings>>> set proxy_password proxy_pass
w3af/config:http-settings>>> backFase de Descoberta
Configuração de Web Spider
# Configure web spider
w3af>>> plugins
w3af/plugins>>> discovery web_spider
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward True
w3af/plugins/discovery/config:web_spider>>> set ignore_regex ".*\.(jpg|jpeg|png|gif|pdf|zip)$"
w3af/plugins/discovery/config:web_spider>>> set follow_regex ".*"
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> backForça Bruta de Diretórios
# Configure directory brute forcer
w3af>>> plugins
w3af/plugins>>> discovery dir_file_bruter
w3af/plugins>>> discovery config dir_file_bruter
w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt
w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js
w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True
w3af/plugins/discovery/config:dir_file_bruter>>> back
w3af/plugins>>> backConfiguração de Descoberta Abrangente
# Enable multiple discovery plugins
w3af>>> plugins
w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward False
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> backFase de Auditoria
Detecção de Injeção SQL
# Configure SQL injection plugin
w3af>>> plugins
w3af/plugins>>> audit sqli
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set check_numeric True
w3af/plugins/audit/config:sqli>>> set check_string True
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> backCross-Site Scripting (XSS)
# Configure XSS plugin
w3af>>> plugins
w3af/plugins>>> audit xss
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> set check_persistent_xss True
w3af/plugins/audit/config:xss>>> set check_reflected_xss True
w3af/plugins/audit/config:xss>>> back
w3af/plugins>>> backVulnerabilidades de Inclusão de Arquivos
# Configure LFI/RFI plugins
w3af>>> plugins
w3af/plugins>>> audit lfi, rfi
w3af/plugins>>> audit config lfi
w3af/plugins/audit/config:lfi>>> set use_time_delay True
w3af/plugins/audit/config:lfi>>> set use_echo True
w3af/plugins/audit/config:lfi>>> back
w3af/plugins>>> backConfiguração de Auditoria Abrangente
Would you like me to continue with the remaining sections?```bash
Enable all major audit plugins
w3af>>> plugins w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi w3af/plugins>>> back
```bash
# Configure SQLMap integration
w3af>>> plugins
w3af/plugins>>> attack sqlmap
w3af/plugins>>> attack config sqlmap
w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap
w3af/plugins/attack/config:sqlmap>>> set exploit_all True
w3af/plugins/attack/config:sqlmap>>> back
w3af/plugins>>> back
```### Exploração de Injeção SQL
```bash
# Configure file upload attack
w3af>>> plugins
w3af/plugins>>> attack file_upload
w3af/plugins>>> attack config file_upload
w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp
w3af/plugins/attack/config:file_upload>>> back
w3af/plugins>>> back
```### Exploração de Upload de Arquivo
```bash
# Configure shell access
w3af>>> plugins
w3af/plugins>>> attack shell_shock
w3af/plugins>>> back
# After successful exploitation
w3af>>> exploit
w3af>>> shell
shell>>> whoami
shell>>> pwd
shell>>> exit
```### Acesso ao Shell
```bash
# Configure output plugins
w3af>>> plugins
w3af/plugins>>> output console, text_file, html_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
w3af/plugins>>> back
```## Saída e Relatórios
```bash
# Configure HTML report
w3af>>> plugins
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html
w3af/plugins/output/config:html_file>>> back
w3af/plugins>>> back
```### Configuração de Saída
```bash
# Configure XML report
w3af>>> plugins
w3af/plugins>>> output xml_file
w3af/plugins>>> output config xml_file
w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml
w3af/plugins/output/config:xml_file>>> back
w3af/plugins>>> back
```### Geração de Relatório HTML
```bash
# Create custom payload file
echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt
# Configure custom payloads
w3af>>> plugins
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back
```### Geração de Relatório XML
```bash
# Configure form authentication
w3af>>> plugins
w3af/plugins>>> discovery form_auth
w3af/plugins>>> discovery config form_auth
w3af/plugins/discovery/config:form_auth>>> set username admin
w3af/plugins/discovery/config:form_auth>>> set password password123
w3af/plugins/discovery/config:form_auth>>> set username_field username
w3af/plugins/discovery/config:form_auth>>> set password_field password
w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php
w3af/plugins/discovery/config:form_auth>>> back
w3af/plugins>>> back
```## Configuração Avançada
```bash
# Configure session handling
w3af>>> http-settings
w3af/config:http-settings>>> set max_file_size 1000000
w3af/config:http-settings>>> set max_http_retries 3
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file /path/to/headers.txt
w3af/config:http-settings>>> back
```### Payloads Personalizados
```python
# Create w3af script file (scan_script.w3af)
target
set target http://target.com/
back
plugins
discovery web_spider, dir_file_bruter, robots_txt
audit sqli, xss, csrf, lfi, rfi
output console, text_file
output config text_file
set output_file /tmp/w3af_scan.txt
back
back
start
```### Autenticação de Formulário
```bash
# Run w3af script
w3af_console -s scan_script.w3af
# Run with profile
w3af_console -p OWASP_TOP10
# Run in batch mode
echo "target; set target http://target.com/; back; start"|w3af_console
```### Gerenciamento de Sessão
```python
#!/usr/bin/env python3
import w3af.core.controllers.w3afCore as w3afCore
import w3af.core.data.kb.knowledgeBase as kb
# Initialize w3af core
w3af = w3afCore.w3afCore()
# Set target
target_url = "http://target.com/"
w3af.target.set_target(target_url)
# Configure plugins
w3af.plugins.set_plugins(['web_spider'], 'discovery')
w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')
# Start scan
w3af.start()
# Get vulnerabilities
vulns = kb.kb.get_all_vulns()
for vuln in vulns:
print(f"Vulnerability: \\\\{vuln.get_name()\\\\}")
print(f"URL: \\\\{vuln.get_url()\\\\}")
print(f"Severity: \\\\{vuln.get_severity()\\\\}")
print("---")
```## Scripting e Automação
```bash
# List available profiles
w3af>>> profiles
w3af>>> profiles use OWASP_TOP10
w3af>>> profiles use fast_scan
w3af>>> profiles use full_audit
# View profile configuration
w3af>>> profiles view OWASP_TOP10
```### Arquivos de Script W3af
```bash
# Save current configuration as profile
w3af>>> profiles
w3af/profiles>>> save_as custom_profile
# Load custom profile
w3af/profiles>>> use custom_profile
w3af/profiles>>> back
```### Executando Scripts
```python
# Create custom profile file (custom_scan.pw3af)
[target]
target = http://target.com/
[plugins]
discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit = sqli, xss, csrf, lfi, rfi, os_commanding
attack = sqlmap, file_upload
[discovery.web_spider]
only_forward = False
ignore_regex = .*\.(jpg|jpeg|png|gif|pdf|zip)$
[audit.sqli]
check_numeric = True
check_string = True
[output]
output = console, text_file
text_file.output_file = /tmp/custom_scan.txt
```### Uso da API Python
```bash
# Configure w3af to use Burp as proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> back
# Export findings to Burp format
w3af>>> plugins
w3af/plugins>>> output burp_export
w3af/plugins>>> back
```## Perfis e Modelos
```bash
# Export vulnerabilities for Metasploit
w3af>>> plugins
w3af/plugins>>> output metasploit_export
w3af/plugins>>> output config metasploit_export
w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc
w3af/plugins/output/config:metasploit_export>>> back
w3af/plugins>>> back
# Use in Metasploit
msfconsole -r /tmp/w3af_msf.rc
```### Perfis Integrados
```bash
# Export to ZAP format
w3af>>> plugins
w3af/plugins>>> output zap_export
w3af/plugins>>> output config zap_export
w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml
w3af/plugins/output/config:zap_export>>> back
w3af/plugins>>> back
```### Criando Perfis Personalizados
```bash
# Configure threading
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_discovery_time 600
w3af/config:misc-settings>>> set max_scan_time 3600
w3af/config:misc-settings>>> set thread_number 10
w3af/config:misc-settings>>> back
```### Arquivos de Configuração de Perfil
```bash
# Configure memory settings
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 1000000
w3af/config:misc-settings>>> set max_requests_per_second 20
w3af/config:misc-settings>>> back
```### Limitação de Taxa
```bash
# Configure rate limiting
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 5
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
```## Resolução de Problemas
```bash
# SSL certificate issues
w3af>>> http-settings
w3af/config:http-settings>>> set ignore_session_cookies True
w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt
w3af/config:http-settings>>> back
# Memory issues
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 500000
w3af/config:misc-settings>>> set thread_number 5
w3af/config:misc-settings>>> back
# Timeout issues
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 60
w3af/config:http-settings>>> set max_http_retries 5
w3af/config:http-settings>>> back
```### Modo de Depuração
```bash
# Enable debug output
w3af>>> misc-settings
w3af/config:misc-settings>>> set debug True
w3af/config:misc-settings>>> back
# View debug information
w3af>>> kb
w3af/kb>>> list vulns
w3af/kb>>> list info
w3af/kb>>> back
```### Análise de Logs
```bash
# View w3af logs
tail -f ~/.w3af/w3af.log
# Enable verbose logging
w3af>>> misc-settings
w3af/config:misc-settings>>> set verbose True
w3af/config:misc-settings>>> back
```## Melhores Práticas
### Estratégia de Varredura```bash
# Optimized configuration for large applications
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 15
w3af/config:misc-settings>>> set max_discovery_time 1800
w3af/config:misc-settings>>> set max_scan_time 7200
w3af/config:misc-settings>>> back
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back
```**Comece com descoberta**: Use plugins de descoberta abrangentes primeiro```bash
# Stealth configuration
w3af>>> http-settings
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
w3af/config:http-settings>>> set max_requests_per_second 2
w3af/config:http-settings>>> set timeout 45
w3af/config:http-settings>>> back
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 3
w3af/config:misc-settings>>> back
```**Auditoria direcionada**: Foque plugins de auditoria na superfície de ataque descoberta```bash
#!/bin/bash
TARGET=$1
OUTPUT_DIR="w3af_results_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
mkdir -p $OUTPUT_DIR
# Create w3af script
cat > "$OUTPUT_DIR/scan.w3af" << EOF
target
set target $TARGET
back
plugins
discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath
output console, text_file, html_file
output config text_file
set output_file $OUTPUT_DIR/w3af_report.txt
back
output config html_file
set output_file $OUTPUT_DIR/w3af_report.html
back
back
start
EOF
# Run scan
echo "[+] Starting w3af scan for $TARGET"
w3af_console -s "$OUTPUT_DIR/scan.w3af"
echo "[+] Scan complete. Results saved in $OUTPUT_DIR/"
```**Escalação gradual**: Comece com plugins seguros, depois passe para os intrusivos```bash
#!/bin/bash
TARGETS_FILE=$1
OUTPUT_BASE="w3af_batch_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGETS_FILE" ]; then
echo "Usage: $0 <targets_file>"
exit 1
fi
mkdir -p $OUTPUT_BASE
while read target; do
if [ ! -z "$target" ]; then
echo "[+] Scanning $target"
target_dir="$OUTPUT_BASE/$(echo $target|sed 's|https\?://||'|sed 's|/|_|g')"
mkdir -p "$target_dir"
cat > "$target_dir/scan.w3af" << EOF
target
set target $target
back
plugins
discovery web_spider, dir_file_bruter
audit sqli, xss, csrf
output text_file
output config text_file
set output_file $target_dir/report.txt
back
back
start
EOF
w3af_console -s "$target_dir/scan.w3af"
fi
done < $TARGETS_FILE
echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/"
```**Atualizações regulares**: Mantenha o w3af e seus plugins atualizadoshttps://github.com/andresriancho/w3af **Payloads personalizados**: Crie payloads personalizados para aplicações específicas
### Considerações de Desempenho
http://docs.w3af.org/##
# Varredura Furtiva
https://owasp.org/www-project-web-security-testing-guide/#
# Scripts de Automação
### Script de Varredura Abrangente
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/##
# Script de Varredura em Lote