Embed Size (px)
DESCRIPTION
Citation preview
Web Application AttackWeb Application Attackand Audit Frameworkand Audit Framework
By Prajwal Panchmahalkar
W3af is a well known web attack and auditing framework.
•Very similar to Metasploit framework
W3af combines all necessary actions for a complete web attack.
•Mapping•Discovery•Exploitation
This puts the framework into three major plug-ins.
Web Service Support Exploits
•SQL injections(blind)
• OS commanding
• remote file inclusions
• local file inclusions
• XSS and more
A good harmony among plug-ins.
Discovery PluginDiscovery Plugin•URLS•Injection Points
Audit PluginAudit Plugin•Uses the above injection points•Sends crafted data to find vulnerabilities
Exploit PluginExploit Plugin•Exploits vulnerabilities found•Provides SQL dumps / remote shell is returned
Find all the URLs
•Create Fuzzable requestPlugins:
•WebSpider
•URL fuzzer
•Pykto
•GoogleFuzzer
They use the discovery plug-in outputs and find their respective vulnerabilities
•SQL Injection (blind)
•XSS
•Buffer Overflow
•Response Splitting
Grep every HTTP request and response
•findComments•passwordProfiling•privateIP•DirectoryIndexing•Getmails•lang
BruteForce•Bruteforce logins
Evasion•Modify the request to evade IDS detection
Mangle•Modify requests/responses based on regular expressions.
Output•Write logs .
THANKS TOTHANKS TO
ALLALL
