lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cdfaf8b20706101120i7079ea9bm6bba73092ce03eff@mail.gmail.com>
Date: Sun, 10 Jun 2007 15:20:29 -0300
From: "Andres Riancho" <andres.riancho@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	webappsec@...urityfocus.com
Subject: [TOOL] w3af - Web Application Attack and Audit Framework

List,

    I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

   Audit
         - SQL injection detection
         - XSS detection
         - SSI detection
         - Local file include detection
         - Remote file include detection
         - Buffer Overflow detection
         - Format String bugs detection
         - OS Commanding detection
         - Response Splitting detection
         - LDAP Injection detection
         - Basic Authentication bruteforce
         - File upload inside webrot
         - htaccess LIMIT misconfiguration
         - SSL certificate validation
         - XPATH injection detection
         - unSSL (HTTPS documents can be fetched using HTTP)
         - dav

    Discovery
         - Pykto, a nikto port to python
         - Hmap, http fingerprinting.
         - fingerGoogle, finds valid user accounts in google.
         - googleSpider, a spider that uses google.
         - webSpider, a classic web spider.
         - robotsReader
         - urlFuzzer
         - serverHeader, fetches server header
         - allowedMethods, gets a list of allowed HTTP methods.
         - crossDomain, get and parse the flash file crossdomain.xml
         - error404page, generate a regular expression to match 404 pages.
         - sitemapReader, read googles sitemap.xml and parse it.
         - spiderMan, using a localproxy and a human, find new URLs
for auditing.
         - webDiff, find differences between a local and a remote directory.
         - wsdlFinder, find and parse WSDL and DISCO files.

    Grep
         - collectCookies
         - directoryIndexing
         - findComments
         - pathDisclosure
         - strangeHeaders
         - grep for pages using ajax and report them
         - domXss, find DOM cross site scripting vulnerabilities.
         - errorPages, search for eror pages that are too descriptive.
         - fileUpload, find forms with file upload capabilities.
         - getMails
         - http authentication detection
         - objects detection
         - privateIP disclosure detection
         - wsdlGreper, greps every page searching for WSDL documents.

    Output
         - console
         - htmlFile
         - textFile

    Mangle
         - sed, a stream editor for HTTP requests and responses.

    Evasion
         - reversedSlashes
         - rndCase
         - rndHexEncode
         - rndParam
         - rndPath
         - selfReference

    Attack
         - davShell
         - fileUploadShell
         - googleProxy
         - localFileReader
         - mysqlWebShell
         - osCommandingShell
         - remoteFileIncludeShell
         - rfiProxy
         - sqlmap
         - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

Cheers,

-- 
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ