Hi
I am using the script which is taken from :
https://www.owasp.org/index.php/Automated_Audit_using_W3AF
done some editing removed the authentiucation details and the current
version which I am using is given below. When I run the script, the
scanning is not started instead it gives the console w3af>>
Please guide, using the latest version of w3af in kali.
Script is given below.
#
-----------------------------------------------------------------------------------------------------------
# W3AF AUDIT SCRIPT FOR WEB
APPLICATION
#
-----------------------------------------------------------------------------------------------------------
#Configure HTTP settings
http-settings
set timeout 30
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
plugins
#Configure entry point (CRAWLING) scanner
crawl web_spider
crawl config web_spider
set only_forward False
set ignore_regex (?i)(logout|disconnect|signout|exit)+
back
#Configure vulnerability scanners
##Specify list of AUDIT plugins type to use
audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload,
ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting,
sqli, xpath, xss, xst
##Customize behavior of each audit plugin when needed
audit config file_upload
set extensions
jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
back
##Specify list of GREP plugins type to use (grep plugin is a type of plugin
that can find also vulnerabilities or informations disclosure)
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp,
directory_indexing, dom_xss, error_500, error_pages,
html_comments, objects, path_disclosure, private_ip, strange_headers,
strange_http_codes, strange_parameters, strange_reason, url_session,
xss_protection_header
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin
is a type of plugin that can find informations disclosure)
infrastructure server_header, server_status, domain_dot, dot_net_errors
back
#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file /tmp/samir-W3afReport.html
set verbose False
back
output config console
set verbose True
back
back
#Set target informations, do a cleanup and run the scan
target
set target http://www.xxxxxxx.com
back
cleanup
start
shafeeque
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
