w3af has two user interfaces, the console user interface and the graphicaluser interface. This user guide will focus on the console user interface whereit’s easier to explain the framework’s features. To fire up the console UIexecute:
$ ./w3af_consolew3af>>>
From this prompt you will be able to configure framework and plugin settings,launch scans and ultimately exploit a vulnerability. At this point you can starttyping commands. The first command you have to learn is help (please notethat commands are case sensitive):
w3af>>> help|----------------------------------------------------------------|| start | Start the scan. || plugins | Enable and configure plugins. || exploit | Exploit the vulnerability. || profiles | List and use scan profiles. || cleanup | Cleanup before starting a new scan. ||----------------------------------------------------------------|| help | Display help. Issuing: help [command] , prints || | more specific help about "command" || version | Show w3af version information. || keys | Display key shortcuts. ||----------------------------------------------------------------|| http-settings | Configure the HTTP settings of the framework. || misc-settings | Configure w3af misc settings. || target | Configure the target URL. ||----------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||----------------------------------------------------------------|| kb | Browse the vulnerabilities stored in the || | Knowledge Base ||----------------------------------------------------------------|w3af>>>w3af>>> help targetConfigure the target URL.w3af>>>
The main menu commands are explained in the help that is displayed above. Theinternals of every menu will be seen later in this document. As you alreadynoticed, the help command can take a parameter, and if available, a detailedhelp for that command will be shown, e.g. help keys.
Other interesting things to notice about the console UI is the ability fortabbed completion (type ‘plu’ and then TAB) and the command history (aftertyping some commands, navigate the history with the up and down arrows).
To enter a configuration menu, you just have to type it’s name and hit enter,you will see how the prompt changes and you are now in that context:
w3af>>> http-settingsw3af/config:http-settings>>>
All the configuration menus provide the following commands:
helpviewsetback
Here is a usage example of these commands in the http-settings menu:
w3af/config:http-settings>>> help|-----------------------------------------------------------------|| view | List the available options and their values. || set | Set a parameter value. || save | Save the configured settings. ||-----------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||-----------------------------------------------------------------|w3af/config:http-settings>>> view|-----------------------------------------------------------------------------------------------|| Setting | Value | Description ||-----------------------------------------------------------------------------------------------|| url_parameter | | Append the given URL parameter to every accessed URL. || | | Example: http://www.foobar.com/index.jsp;<parameter>?id=2 || timeout | 15 | The timeout for connections to the HTTP server || headers_file | | Set the headers filename. This file has additional headers|| | | which are added to each request. ||-----------------------------------------------------------------------------------------------|...|-----------------------------------------------------------------------------------------------|| basic_auth_user | | Set the basic authentication username for HTTP requests || basic_auth_passwd | | Set the basic authentication password for HTTP requests || basic_auth_domain | | Set the basic authentication domain for HTTP requests ||-----------------------------------------------------------------------------------------------|w3af/config:http-settings>>> set timeout 5w3af/config:http-settings>>> savew3af/config:http-settings>>> backw3af>>>
To summarize, the view command is used to list all configurable parameters,with their values and a description. The set command is used to change avalue. Finally we can execute back or press CTRL+C to return to the previousmenu. A detailed help for every configuration parameter can be obtained usinghelp parameter as shown in this example:
w3af/config:http-settings>>> help timeoutHelp for parameter timeout:===========================Set low timeouts for LAN use and high timeouts for slow Internet connections.w3af/config:http-settings>>>
The http-settings and the misc-settings configuration menus are used toset system wide parameters that are used by the framework. All the parametershave defaults and in most cases you can leave them as they are. w3af wasdesigned in a way that allows beginners to run it without having to learn a lotof its internals.
It is also flexible enough to be tuned by experts that know what they want andneed to change internal configuration parameters to fulfill their tasks.
Running w3af with GTK user interface¶
The framework has also a graphical user interface that you can start by executing:
$ ./w3af_gui
The graphical user interface allows you to perform all the actions that theframework offers and features a much easier and faster way to start a scan andanalyze the results.
Note
The GUI has different third party dependencies and might require you toinstall extra OS and python packages.
Plugin configuration¶
The plugins are configured using the “plugins” configuration menu.
w3af>>> pluginsw3af/plugins>>> help|-----------------------------------------------------------------------------|| list | List available plugins. ||-----------------------------------------------------------------------------|| back | Go to the previous menu. || exit | Exit w3af. ||-----------------------------------------------------------------------------|| output | View, configure and enable output plugins || audit | View, configure and enable audit plugins || crawl | View, configure and enable crawl plugins || bruteforce | View, configure and enable bruteforce plugins || grep | View, configure and enable grep plugins || evasion | View, configure and enable evasion plugins || infrastructure | View, configure and enable infrastructure plugins || auth | View, configure and enable auth plugins || mangle | View, configure and enable mangle plugins ||-----------------------------------------------------------------------------|w3af/plugins>>>
All plugins except the attack plugins can be configured within this menu.Lets list all the plugins of the audit type:
w3af>>> pluginsw3af/plugins>>> list audit|-----------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||-----------------------------------------------------------------------------|| blind_sqli | | Yes | Identify blind SQL injection || | | | vulnerabilities. || buffer_overflow | | | Find buffer overflow vulnerabilities. |...
To enable the xss and sqli plugins, and then verify that the command wasunderstood by the framework, we issue this set of commands:
w3af/plugins>>> audit xss, sqliw3af/plugins>>> audit|----------------------------------------------------------------------------|| Plugin name | Status | Conf | Description ||----------------------------------------------------------------------------|| sqli | Enabled | | Find SQL injection bugs. || ssi | | | Find server side inclusion || | | | vulnerabilities. || ssl_certificate | | Yes | Check the SSL certificate validity || | | | (if https is being used). || un_ssl | | | Find out if secure content can also || | | | be fetched using http. || xpath | | | Find XPATH injection || | | | vulnerabilities. || xss | Enabled | Yes | Identify cross site scripting || | | | vulnerabilities. || xst | | | Find Cross Site Tracing || | | | vulnerabilities. ||----------------------------------------------------------------------------|w3af/plugins>>>
Or if the user is interested in knowing exactly what a plugin does, he can alsorun the desc command like this:
w3af/plugins>>> audit desc xssThis plugin finds Cross Site Scripting (XSS) vulnerabilities.One configurable parameters exists: - persistent_xssTo find XSS bugs the plugin will send a set of javascript strings toevery parameter, and search for that input in the response.The "persistent_xss" parameter makes the plugin store all datasent to the web application and at the end, request all URLs againsearching for those specially crafted strings.w3af/plugins>>>
Now we know what this plugin does, but let’s check its internals:
w3af/plugins>>> audit config xssw3af/plugins/audit/config:xss>>> view|-----------------------------------------------------------------------------|| Setting | Value | Description ||-----------------------------------------------------------------------------|| persistent_xss | True | Identify persistent cross site scripting || | | vulnerabilities ||-----------------------------------------------------------------------------|w3af/plugins/audit/config:xss>>> set persistent_xss Falsew3af/plugins/audit/config:xss>>> backThe configuration has been saved.w3af/plugins>>>
The configuration menus for the plugins also have the set command forchanging the parameters values, and the view command for listing existingvalues. On the previous example we disabled persistent cross site scriptingchecks in the xss plugin.
Saving the configuration¶
Once the plugin and framework configuration is set, it is possible to save thisinformation to a profile:
w3af>>> profilesw3af/profiles>>> save_as tutorialProfile saved.
Profiles are saved as files in ~/.w3af/profiles/. The saved configurationcan be loaded in order to run a new scan:
w3af>>> profilesw3af/profiles>>> use fast_scanThe plugins configured by the scan profile have been enabled, and their options configured.Please set the target URL(s) and start the scan.w3af/profiles>>>
Sharing a profile with another user might be problematic, since they includefull paths to the files referenced by plugin configurations which would requireusers to share the profile, referenced files, and manually edit the profile tomatch the current environment. To solve this issue the self-contained flagwas added:
w3af>>> profilesw3af/profiles>>> save_as tutorial self-containedProfile saved.
A self-contained profile bundles all the referenced files inside the profileand can be easily shared with other users.
Starting the scan¶
After configuring all desired plugins the user has to set the target URL andfinally start the scan. The target selection is done this way:
w3af>>> targetw3af/config:target>>> set target http://localhost/w3af/config:target>>> backw3af>>>
Finally, run start in order to run all the configured plugins.
w3af>>> start
At any time during the scan, you can hit <enter> in order to get a livestatus of the w3af core. Status lines look like this:
Status: Running discovery.web_spider on http://localhost/w3af/ | Method: GET.
