CIP Cyber

Log In
Menu
Log In
  • Opinion
  • Product Reviews
  • Industrial Cybersecurity
  • Videos

Web Application Attack and Audit Framework (W3AF)- Tutorial

Table of Contents

Security is key point for every effective business, either you are running your own website or you are at job to manage the web application for your company you have to do little penetration testing to check the security of web application.
Now a days exploit are available and update on daily basis for different web application services.

While doing a penetration testing a pen tester must consider these exploit for different vulnerabilities.
To find a vulnerabilities is not enough a pen-tester must check the parallel exploits that are available publicly for different services.

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. w3af is working for Become the best Open Source Web Application Exploitation Framework. It provides information about security vulnerabilities and aids in penetration testing efforts.


The important fact of w3af is that it is available for all major operating system like Microsoft Windows, Linux, MAC OS, FreeBSD and OpenBSD etc. It is written in python programming language and provide both command line interface and graphical user interface.


W3af uses more than 130 plug-in to find vulnerabilities in web applications, after finding vulnerabilities like SQL injections, OS commanding, remote file inclusions (PHP), cross-site scripting (XSS), and unsafe file uploads, can be exploited in order to gain different types of access to the remote system.

Download 
Tutorial

Once you have all the prerequisites then you can start w3af as follows:
$ ./w3af
w3af>>>

Type help will give you a list of options.
w3af>>> help
The following commands are available:

help                  You are here. help [command] prints more specific help.
url-settings       Configure the URL opener.
misc-settings    Configure w3af misc settings.
session             Load and save sessions.
plugins             Enable, disable and configure plugins.
start                 Start site analysis.
exploit              Exploit a vulnerability.
tools                 Enter the tools section.
target               Set the target URL.
exit                   Exit w3af.

w3af>>>
Now see this example:
w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap
w3af/plugins>>> discovery
Enabled discovery plugins:
webSpider
pykto
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> view


For video tutorial click here

Note: If you enjoyed this post, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Opinion

Password Cyberattack: Everything You Need to Know

November 7, 2023

Industrial Cybersecurity

Cybersecurity Awareness Month: Spotlight on ICS/OT Security

September 28, 2023

Opinion

How to Protect IoT Devices in Critical Infrastructure Networks

September 15, 2023

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training

Related Articles

What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among

March 24, 2022

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training