Recently Larry Suto published his second paper on web application security scanners (if you are wondering about his first one, you can find it here) and as expected it once again stirred up a couple of people.
And while he analyzed the most used web security scanners, I wonder if we could change our direction and focus on a not so well know, open source web application scanner.
Probably you’ve figured about now what I’m talking about, as writen in the title, I’m talking about “web application attack and audit framework” or w3af.
The authors describe it for short:
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
While this resembles the ideea (and direction) by which the project started, for me it seems that w3af is so much of a framework as Joomla! is for web applications development. I would rather call it a full featured web application testing platform.
Even if I’m not that big of a fan for automated vulnerability scanners, I have to admit that w3af has a nice series of discovery plugins which are enough reasons for me to give it thumbs up.
That’s all I wanted to share with you today. For more information about w3af I recommend their source forge page and Andre Riancho’s interview for OWASP podcast (this dude is the core developer of w3af)
There are a couple of security auditing frameworks out there, and the temptation is high on creating your own; either in Perl, Ruby, Python and why not in PHP as well.
Needles to say, I too was tempted in creating my own framework. Ideas kept flowing in, the project has been started and then BAM, I’ve read an interesting article on GNUCITIZEN, which made me rethink my strategy…
One of the comments pointed it out very well:
most of the stuff we need is on the shell already. pentesting frameworks is like the new security-testing hype. first we had hundreds of portscanners, then hundreds of webapp MiTM proxies, then hundreds of fuzzers, then hundreds of SQL injectors, now it’s about pentesting frameworks :)
So instead of starting to write redundant code, I started to learn already available command line tools, which have years of development behind and fill in almost every aspect they need to.
Basically I’m building my framework around already available tools, and only code up things that do not exist, or for some very particular cases.
(continue)
The idea to this article came to mind a couple of days ago, but decided to post it today after listening to the following two (”the Malware Report”) Podcasts: Virtualization is Not Security and Virtualization: Security Risks You Must Know. Podcasts in which they threat a common misconception that virtual machines (even virtual firewalls) are more secure than normal machines.
(continue)
Malware represents a common threat for all users out there surfing the web. It doesn’t have ethics or a message to spread, like viruses used to have (not all had dangerous payloads).
(continue)
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks. (Wikipedia)
(continue)
Some days ago while I was writing the (traffic magnet) article HYGHAAZG and mentioned the keylogger, instantly it came to mind a userscript one. Googled a bit, but didn’t seem to find any (quite amazed)…
(continue)
An exploit (from the same word in the French language, meaning “achievement”, or “accomplishment”) is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as violently gaining control of a computer system or allowing privilege escalation or a denial of service attack. (Wikipedia)
(continue)
A bookmarklet is an applet, a small computer application, stored as the URL of a bookmark in a web browser or as a hyperlink on a web page. The term is a portmanteau of the terms bookmark and applet. Whether bookmarklet utilities are stored as bookmarks or hyperlinks, they are designed to add one-click functionality to a browser or web page. When clicked, a bookmarklet performs some function, one of a wide variety such as a search query or data extraction. Usually the applet is a JavaScript program. (Wikipedia)
(continue)
People tend to overdo things… And somewhere (not sure were) I’ve read an article (or better call it tutorial) where for simple modifications of parameter/header values the author suggested an intercepting proxy like: WebScarab, BurpProxy, ParosProxy, ProxyStrike, etc. Yes they’re up to the job, but aren’t there some simpler solutions? Yes there are, and those solutions will be presented in the following lines…
(continue)
With all the buzz around Clickjacking I had to come up with an article which would contain that word, or at least a part of it. This article could be also named Form Thievery, but it wouldn’t sound that cool
, would it?
(continue)