[TOOL] w3af - Web Application Attack and Audit Framework

["Andres Riancho" <andres.riancho () gmail com>]

List,

   I'm glad to present w3af ( Web Application Attack and Audit
Framework ) , a fully automated auditing and exploiting framework for
the web. This framework has been developed for almost a year and has
the following features:

  Audit
        - SQL injection detection
        - XSS detection
        - SSI detection
        - Local file include detection
        - Remote file include detection
        - Buffer Overflow detection
        - Format String bugs detection
        - OS Commanding detection
        - Response Splitting detection
        - LDAP Injection detection
        - Basic Authentication bruteforce
        - File upload inside webrot
        - htaccess LIMIT misconfiguration
        - SSL certificate validation
        - XPATH injection detection
        - unSSL (HTTPS documents can be fetched using HTTP)
        - dav

   Discovery
        - Pykto, a nikto port to python
        - Hmap, http fingerprinting.
        - fingerGoogle, finds valid user accounts in google.
        - googleSpider, a spider that uses google.
        - webSpider, a classic web spider.
        - robotsReader
        - urlFuzzer
        - serverHeader, fetches server header
        - allowedMethods, gets a list of allowed HTTP methods.
        - crossDomain, get and parse the flash file crossdomain.xml
        - error404page, generate a regular expression to match 404 pages.
        - sitemapReader, read googles sitemap.xml and parse it.
        - spiderMan, using a localproxy and a human, find new URLs
for auditing.
        - webDiff, find differences between a local and a remote directory.
        - wsdlFinder, find and parse WSDL and DISCO files.

   Grep
        - collectCookies
        - directoryIndexing
        - findComments
        - pathDisclosure
        - strangeHeaders
        - grep for pages using ajax and report them
        - domXss, find DOM cross site scripting vulnerabilities.
        - errorPages, search for eror pages that are too descriptive.
        - fileUpload, find forms with file upload capabilities.
        - getMails
        - http authentication detection
        - objects detection
        - privateIP disclosure detection
        - wsdlGreper, greps every page searching for WSDL documents.

   Output
        - console
        - htmlFile
        - textFile

   Mangle
        - sed, a stream editor for HTTP requests and responses.

   Evasion
        - reversedSlashes
        - rndCase
        - rndHexEncode
        - rndParam
        - rndPath
        - selfReference

   Attack
        - davShell
        - fileUploadShell
        - googleProxy
        - localFileReader
        - mysqlWebShell
        - osCommandingShell
        - remoteFileIncludeShell
        - rfiProxy
        - sqlmap
        - xssBeef

The framework is extended using plugins and is completely written un
python. More info can be found at: http://w3af.sf.net/

Cheers,

--
Andres Riancho
http://w3af.sourceforge.net/ Web App Attack and Audit Framework