[Owasp-turkey] Fwd: [Full-disclosure] [TOOL] w3af - Web Application Attack and Audit Framework

Huzeyfe Onal huzeyfe at lifeoverip.net
Sun Jun 10 15:44:04 EDT 2007

Guzel bir yapiya benziyor, denemis olan arkadaslar varsa yorumlarini
dinlemek isterim.

---------- Forwarded message ----------
From: Andres Riancho <andres.riancho at gmail.com>
Date: Jun 10, 2007 9:20 PM
Subject: [Full-disclosure] [TOOL] w3af - Web Application Attack and Audit
To: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com,
webappsec at securityfocus.com


    I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

         - SQL injection detection
         - XSS detection
         - SSI detection
         - Local file include detection
         - Remote file include detection
         - Buffer Overflow detection
         - Format String bugs detection
         - OS Commanding detection
         - Response Splitting detection
         - LDAP Injection detection
         - Basic Authentication bruteforce
         - File upload inside webrot
         - htaccess LIMIT misconfiguration
         - SSL certificate validation
         - XPATH injection detection
         - unSSL (HTTPS documents can be fetched using HTTP)
         - dav

         - Pykto, a nikto port to python
         - Hmap, http fingerprinting.
         - fingerGoogle, finds valid user accounts in google.
         - googleSpider, a spider that uses google.
         - webSpider, a classic web spider.
         - robotsReader
         - urlFuzzer
         - serverHeader, fetches server header
         - allowedMethods, gets a list of allowed HTTP methods.
         - crossDomain, get and parse the flash file crossdomain.xml
         - error404page, generate a regular expression to match 404 pages.
         - sitemapReader, read googles sitemap.xml and parse it.
         - spiderMan, using a localproxy and a human, find new URLs
for auditing.
         - webDiff, find differences between a local and a remote directory.
         - wsdlFinder, find and parse WSDL and DISCO files.

         - collectCookies
         - directoryIndexing
         - findComments
         - pathDisclosure
         - strangeHeaders
         - grep for pages using ajax and report them
         - domXss, find DOM cross site scripting vulnerabilities.
         - errorPages, search for eror pages that are too descriptive.
         - fileUpload, find forms with file upload capabilities.
         - getMails
         - http authentication detection
         - objects detection
         - privateIP disclosure detection
         - wsdlGreper, greps every page searching for WSDL documents.

         - console
         - htmlFile
         - textFile

         - sed, a stream editor for HTTP requests and responses.

         - reversedSlashes
         - rndCase
         - rndHexEncode
         - rndParam
         - rndPath
         - selfReference

         - davShell
         - fileUploadShell
         - googleProxy
         - localFileReader
         - mysqlWebShell
         - osCommandingShell
         - remoteFileIncludeShell
         - rfiProxy
         - sqlmap
         - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/


Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Huzeyfe ONAL
huzeyfe at lifeoverip.net

Ag guvenligi listesine uye oldunuz mu?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20070610/950e58f8/attachment.html 

More information about the Owasp-turkey mailing list