W3AF|null

  • 697 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
697
On Slideshare
0
From Embeds
0
Number of Embeds
9

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Web Application Attack and Audit Framework By Prajwal Panchmahalkar
  • 2.
    • W3af is a well known web attack and auditing framework .
      • Very similar to Metasploit framework
    • W3af combines all necessary actions for a complete web attack.
      • Mapping
      • Discovery
      • Exploitation
    • This puts the framework into three major plug-ins.
  • 3.
    • Web Service Support
    • Exploits
      • SQL injections(blind)
      • OS commanding
      • remote file inclusions
      • local file inclusions
      • XSS and more
    • A good harmony among plug-ins.
  • 4.
    • Discovery Plugin
      • URLS
      • Injection Points
    • Audit Plugin
      • Uses the above injection points
      • Sends crafted data to find vulnerabilities
    • Exploit Plugin
      • Exploits vulnerabilities found
      • Provides SQL dumps / remote shell is returned
  • 5.  
  • 6.  
  • 7.
    • Find all the URLs
      • Create Fuzzable request
    • Plugins:
      • WebSpider
      • URL fuzzer
      • Pykto
      • GoogleFuzzer
  • 8.
    • They use the discovery plug-in outputs and find their respective vulnerabilities
      • SQL Injection (blind)
      • XSS
      • Buffer Overflow
      • Response Splitting
  • 9.
    • Grep every HTTP request and response
      • findComments
      • passwordProfiling
      • privateIP
      • DirectoryIndexing
      • Getmails
      • lang
  • 10.
    • BruteForce
      • Bruteforce logins
    • Evasion
      • Modify the request to evade IDS detection
    • Mangle
      • Modify requests/responses based on regular expressions.
    • Output
      • Write logs .
  • 11. Prajwal Panchmahalkar Team : Matriux , n|u [email_address]
  • 12. THANKS TO ALL
  • 13.  
  • 14.  
  • 15.  
  • 16.  
  • 17.  
  • 18.  
  • 19.  
  • 20.  
  • 21.  
  • 22.  
  • 23.  
  • 24.  
  • 25.  
  • 26.  
  • 27.