- Kali Linux http://www.kali.org/
- Web Vulnerability Tool w3af http://w3af.org/
 |
| example of w3af running |
w3af is the leading web vulnerability testing suite. It includes many plugins which scan a website and expose security flaws. Typically these scans can take up to 24hrs, as they are very CPU intensive. I have Kali and w3af setup to run with my server, all you need to do is load up the 'my server' profile and run it. If Kali is no longer available, I will run through the steps below to recreate it.
W3af works via manually spidering the web appliance, this means you must use the browser (iceweasel) and point it to the local spider_man proxy (127.0.0.1:44444) and then manually go to each page and load the content. This can take up to 5 minutes, you must be sure to touch every page - and your server has data. Once this is completed, the w3af plugins will execute and scan the pages spidered for any issues.
w3af is already part of Kali, so once you have installed/boot-up, everything will work. Once installed do not update Kali using software update - as this broke my w3af (updated from 1.2 to 1.6), causing a few days of needless troubleshooting ! (in short, nothing worked)
1. Requirements
Kali is resource intensive so you must be generous with RAM and CPU for the system. I gave it 4GB and a 40GB HDD. One of my scans failed because I only had the default 16GB (it ran out of space), so be sure to give it lots to work with. The install typically takes up to 10GB. CPU I gave 4 cores.
2. Using w3af Shell
It is easier to configure w3af via the GUI, however you can use the shell if you wish - by typing 'w3af_console'
To open GUI use cmd 'w3af_gui'
3. Using w3af GUI
Found under Applications -> Kali Linux -> Web Applications -> Web Vulnerability Scanners -> w3af
Once this window opens, you will need to create a new profile. If the old 'my server' profile is still present - then load that, configure your IP (if needed) and start scanning.
If you are creating a new profile, then follow these steps:
- Create a new profile, type in the profile name and description, then click save.
- plugins to enable:
audit:
blindSqli, sqli, xsrf, xss
discovery:
spider_man
ensure you have only enabled 4 or less plugins, as the scan will too long otherwise (and fail)
- Under Target enter: "https://10.1.1.93/" (replacing 10.1.1.93 with your IP). Beside the Target is the advanced target settings (two switches on it), click this and set the target_os to unix, and the target_framework to php. (apparently it speeds up the scan)
- Ensure output-> console is enabled. Enable htmlFile, give it the name 'server_report.html'. Do not enable verbose options as they will go into very large file sizes and cause the scan to run four times longer.
5. Manual spider
- If testing with new roles and permissions you get logged out every few minutes thanks to w3af saving the cookie to keep the session. As a work around this issue, before you point your proxy to the one of spider_man, log into the test server first (so you are on the dashboard).
- Point browser proxy to 127.0.0.1, 44444. I used the IceWeasel? browser that comes with Kali just to keep things simple.
- Click to every page, open every dialog box, add,edit,save,delete. You need to touch every .php and -x.php file.
- navigate to 127.7.7.7/spiderMan?terminate to end spider_man. I have it saved as a bookmark on 10.1.0.204.
6. 24 hours later…
w3af takes time to run, you will see the progress window under the log screen. Audit's take most of the time. Results will be populated as they are found.
No comments:
Post a Comment