How to test your web server for the OWASP Top Ten security vulnerabilities (using w3af)

w3af (short for web application attack and audit framework) is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities and aids in penetration testing efforts.

OWASP@wiki “Open Web Application Security Project” is an online community dedicated to web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

## install
$ sudo apt-get install w3af | sudo yum install w3af (from http://www.atomicorp.com repo) 
# or use backbox distro, see http://distrowatch.com/table.php?distribution=backbox

## usage (CLI w3af_console or w3af_gui)
# note: scripts/profiles/output are in '/usr/share/w3af/'
$ cat myscript.w3af
# usage: w3af_console -s myscript.w3af
profiles
use OWASP_TOP10
back
plugins
output console, textFile, htmlFile
output config textFile
set fileName /tmp/output-wa3f.txt
set httpFileName /tmp/output-http.txt
back
output config htmlFile
set fileName /tmp/output-wa3f.html
back
back
target
set target http://10.10.0.237:8081/
back
start
exit

see w3af and docs

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s