[W3af-users] Script for automated testing
Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
yes Regards, Shafeeque Olassery Kunnikkal C|EH,C|EI Graytips Cyber Technologies | www.graytips.com On Tue, Jun 24, 2014 at 7:37 PM, Andres Riancho andres.rian...@gmail.com wrote: Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Script for automated testing
Could you send us the complete output from the console? Maybe a screenshot? On Tue, Jun 24, 2014 at 11:12 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: yes Regards, Shafeeque Olassery Kunnikkal C|EH,C|EI Graytips Cyber Technologies | www.graytips.com On Tue, Jun 24, 2014 at 7:37 PM, Andres Riancho andres.rian...@gmail.com wrote: Are you running ./w3af_console -s script.w3af ? On Tue, Jun 24, 2014 at 11:03 AM, Shafeeque O.K [gmail] shafoff...@gmail.com wrote: Hi I am using the script which is taken from : https://www.owasp.org/index.php/Automated_Audit_using_W3AF done some editing removed the authentiucation details and the current version which I am using is given below. When I run the script, the scanning is not started instead it gives the console w3af Please guide, using the latest version of w3af in kali. Script is given below. # --- # W3AF AUDIT SCRIPT FOR WEB APPLICATION # --- #Configure HTTP settings http-settings set timeout 30 back #Configure scanner global behaviors misc-settings set max_discovery_time 20 set fuzz_cookies True set fuzz_form_files True set fuzz_url_parts True set fuzz_url_filenames True back plugins #Configure entry point (CRAWLING) scanner crawl web_spider crawl config web_spider set only_forward False set ignore_regex (?i)(logout|disconnect|signout|exit)+ back #Configure vulnerability scanners ##Specify list of AUDIT plugins type to use audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst ##Customize behavior of each audit plugin when needed audit config file_upload set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe back ##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure) grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header ##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure) infrastructure server_header, server_status, domain_dot, dot_net_errors back #Configure reporting in order to generate an HTML report output console, html_file output config html_file set output_file /tmp/samir-W3afReport.html set verbose False back output config console set verbose True back back #Set target informations, do a cleanup and run the scan target set target http://www.xxx.com back cleanup start shafeeque -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
[W3af-users] Scan mobile devices with w3af
Hi guys, Good Day!! I was thinking about the scanning process of w3af for devices. So i thought it would be better to discuss it over here. I wanted to ask, is it possible to scan mobile devices for vulnerabilities with w3af?? Thanks With Regards Aman Thakur -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Scan mobile devices with w3af
Well, w3af scans web applications, so if your phone exposes a web server you'll be able to scan it. That's REALLY uncommon. On the other hand, some web apps are designed for being accessed from mobile devices. Those are good targets for w3af On Tue, Jun 24, 2014 at 12:10 PM, Aman Thakur aman.thakur.1...@gmail.com wrote: Hi guys, Good Day!! I was thinking about the scanning process of w3af for devices. So i thought it would be better to discuss it over here. I wanted to ask, is it possible to scan mobile devices for vulnerabilities with w3af?? Thanks With Regards Aman Thakur -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Scan mobile devices with w3af
Yes, even I was thinking that these mobile devices don't run any remote services which could be very unusual case. And will it be same for the normal user's desktops and laptops as well? On Tue, Jun 24, 2014 at 8:56 PM, Andres Riancho andres.rian...@gmail.com wrote: Well, w3af scans web applications, so if your phone exposes a web server you'll be able to scan it. That's REALLY uncommon. On the other hand, some web apps are designed for being accessed from mobile devices. Those are good targets for w3af On Tue, Jun 24, 2014 at 12:10 PM, Aman Thakur aman.thakur.1...@gmail.com wrote: Hi guys, Good Day!! I was thinking about the scanning process of w3af for devices. So i thought it would be better to discuss it over here. I wanted to ask, is it possible to scan mobile devices for vulnerabilities with w3af?? Thanks With Regards Aman Thakur -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Scan mobile devices with w3af
ok great.thanks for the kind infoMr. Riancho.I appreciate your frequent repliesthanks On Tue, Jun 24, 2014 at 9:44 PM, Andres Riancho andres.rian...@gmail.com wrote: Correct On Tue, Jun 24, 2014 at 12:40 PM, Aman Thakur aman.thakur.1...@gmail.com wrote: Yes, even I was thinking that these mobile devices don't run any remote services which could be very unusual case. And will it be same for the normal user's desktops and laptops as well? On Tue, Jun 24, 2014 at 8:56 PM, Andres Riancho andres.rian...@gmail.com wrote: Well, w3af scans web applications, so if your phone exposes a web server you'll be able to scan it. That's REALLY uncommon. On the other hand, some web apps are designed for being accessed from mobile devices. Those are good targets for w3af On Tue, Jun 24, 2014 at 12:10 PM, Aman Thakur aman.thakur.1...@gmail.com wrote: Hi guys, Good Day!! I was thinking about the scanning process of w3af for devices. So i thought it would be better to discuss it over here. I wanted to ask, is it possible to scan mobile devices for vulnerabilities with w3af?? Thanks With Regards Aman Thakur -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users