From Security Weekly Wiki
Jump to navigationJump to search

w3af: Technical Segment - Seth Misenar

In episode 144, I gave a technical segment that provided a broad overview of the functionality provided by w3af. In this episode, I hope to illustrate some techniques you can use to break into some web apps.

The Setup

The Process

The goal was to show how we can use w3af to discover a web application vulnerabilities and exploit them. Web Application assessments are more of an art rather than science, even with the burgeoning tools that are available. It is never a good idea to enable all of the scanning/attacking options and set the tool loose. This is especially true with w3af's Discovery plugins. Let's see if we can collect information about the architecture of our target (

# nmap -O -sC -sV -p80

The results show the operating system to be Windows running an Apache web server leveraging a PHP framework. This information will be added to the context of our scan. As stated in the previous podcast (144), there are two primary methods of configuring/running scans: the GUI and the console. We explore each in the videos associated with this tech segment and will discuss them here.


The help command provides a context sensitive heads-up help menu:


The target command will take us into the w3af console:


Let's set our configuration options for our target:

set targetOS windows
set targetFramework php
set target

Now we can see that our target settings took. view

Now we jump back to the main console. back

The plugins command will take us into the section of the w3af console that allows us to configure our plugins. plugins

Let's view the various plugins available view

The audit command will show us the current audit plugin configuration. audit

This enables the fileUpload audit plugin. audit fileUpload

Here we can see that the fileUpload plugin has now been enabled. audit

The discovery command shows the current discovery plugin configuration. discovery

This enables the webSpider discovery plugin. discovery webSpider

This allows us to set the configurable options for the webSpider discovery plugin. discovery config webSpider

Here we can see what options are available for configuration. view

Now we have set the onlyForward option to True which will allow us to not go any higher than the directory we are in. set onlyForward True

Now we back out of the webSpider config view back

Check our discover settings look good. discovery

Change the output (default when running in GUI is gtk ouput) to console output console, htmlFile

Now we have finished with the plugin configuration and need to jump back to the main w3af console section. back

The start command will kick off the w3af scan, moving from discovery to audit. start

Now that we have found a vulnerability in the application, we can move into the exploit phase. exploit

We can see the possible exploit plugins list

Since we only audited the application for file upload vulnerabilities, it is pretty obvious that we select the fileUploadShell option. exploit fileUploadShell

The phpshell is pushed and instantiated and we connect to it with the interact <session number> command. interact 0

If we want to jump back to w3af to move into another session then we simply type endInteraction. endInteraction

Script Magic

Creating w3af scripts is as easy as running a scan from the console, because, in effect, you simply put each command as you would type it in the console on a separate line.

set targetOS windows
set targetFramework php
set target
audit fileUpload
discovery webSpider
discovery config webSpider
set onlyForward True
output console, htmlFile

For instance we could save the above set of commands as a script called fileupload.w3af. Assuming that name we could run the scripted version with the following command:

w3af_console -s fileupload.w3af


w3af videos: Though I enjoyed making my w3af video, I would be remiss not to mention the videos available here: http://w3af.sourceforge.net/videos/video-demos.php