Results 1 to 2 of 2

Thread: it will be great to have w3af in BT

  1. #1
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    1

    Default it will be great to have w3af in BT

    Hello all, i always miss w3af into BT. It's very useful, it's growing fast, and it works fine.

    We always install it manually, and i think it's handy to have it on the CD


    w3af.sourceforge.net


    The features list is big, these are just some of them:
    (note they developed a metasploit-wrapper to use every feature into w3af)


    Plugins

    w3af provides the following plugins (this list could be outdated):
    Audit
    - SQL injection detection
    - XSS detection
    - SSI detection
    - Local file include detection
    - Remote file include detection
    - Buffer Overflow detection
    - Format String bugs detection
    - OS Commanding detection
    - Response Splitting detection
    - LDAP Injection detection
    - Basic Authentication bruteforce
    - File upload inside webrot
    - htaccess LIMIT misconfiguration
    - SSL certificate validation
    - XPATH injection detection
    - unSSL (HTTPS documents can be fetched using HTTP)
    - dav

    Discovery
    - Pykto, a nikto port to python
    - Hmap, http fingerprinting.
    - fingerGoogle, finds valid user accounts in google.
    - googleSpider, a spider that uses google.
    - webSpider, a classic web spider.
    - robotsReader
    - urlFuzzer
    - serverHeader, fetches server header
    - allowedMethods, gets a list of allowed HTTP methods.
    - crossDomain, get and parse the flash file crossdomain.xml
    - error404page, generate a regular expression to match 404 pages.
    - sitemapReader, read googles sitemap.xml and parse it.
    - spiderMan, using a localproxy and a human, find new URLs for auditing.
    - webDiff, find differences between a local and a remote directory.
    - wsdlFinder, find and parse WSDL and DISCO files.

    Grep
    - collectCookies
    - directoryIndexing
    - findComments
    - pathDisclosure
    - strangeHeaders
    - grep for pages using ajax and report them
    - domXss, find DOM cross site scripting vulnerabilities.
    - errorPages, search for eror pages that are too descriptive.
    - fileUpload, find forms with file upload capabilities.
    - getMails
    - http authentication detection
    - objects detection
    - privateIP disclosure detection
    - wsdlGreper, greps every page searching for WSDL documents.

    Output
    - console
    - htmlFile
    - textFile

    Mangle
    - sed, a stream editor for HTTP requests and responses.

    Evasion
    - reversedSlashes
    - rndCase
    - rndHexEncode
    - rndParam
    - rndPath
    - selfReference

    Attack
    - davShell
    - fileUploadShell
    - googleProxy
    - localFileReader
    - mysqlWebShell
    - osCommandingShell
    - remoteFileIncludeShell
    - rfiProxy
    - sqlmap
    - xssBeef


    cheers

    eldraco

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Nice find, I'll have to check it out.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •