Tag Archives: PenTest

Installing / Using W3af

Background

W3af is a vulnerability scanner for web applications. Arbitrarily scanning random webpages / sites without permission from the site owners could get you a visit from law enforcement of the cyber type (FBI in the US). I recently had the opportunity to scan some customer sites with this tool.

Increasing complexity is the nature of life on the Internet, and increasing complexity leads to increased flaws and security vulnerabilities. In order to “harden” their systems Internet companies often have their systems penetration tested (ie pentested). Pentesting is a multistep process that loosely follows these steps:

  1. Networking mapping: from the entry point, map (to the greatest degree possible) map out everything beyond the entry point that may be accessible to the outside attacker.
  2. Discovery / Auditing : Based on this mapping, push and probe each system for known vulnerabilities and weaknesses.
  3. Exploitation: Based on the identified weaknesses / vulnerabilities, structure an attack to exploit to validate / confirm the exposure.

W3af is a tool that automates steps 1 and 2 of this process, enabling a much more thorough scan in a short period of time. Of course like any automation, the results from the tool need to be reviewed and analyzed, since many of the results will be false positives (not real vulnerabilities).

Installation

My first attempt to install W3AF was from the Ubuntu software center, and did not have much luck with it. The current version in the repository for 12.04LTS would crash on scan every time for me. Based on reports from around the web, this is very common and can vary – but was fixable with some effort. Not wanting to create some configuration Frankenstein, I decided a better and faster way to resolution may be to go to the source. So at the W3AF homepage, the following directions were provided.

    git clone https://github.com/andresriancho/w3af.git
    cd w3af
    ./w3af_gui

Which was fairly painless worked well. however it was not complete. There were a number of dependencies identified with the first run of the gui, and a pointer to a script to install them. After setting the execute flag on the script, this worked really well, and I was able to launch the w3af gui. I ran the app from a terminal window, and was able to monitor the scrolling messages and on my first scan, a message appeared indicating that there was a failed dependancy – Python-Webkit.

Usage Notes

After installation of this, i discovered that the app would generate a nice graphical map of the website beneath the URL being scanned. Nice. In any case, like many open source projects, it can be very functional – but it has more than a few non-obvious gotchas. Of note:

  • If you setup for a number of consecutive scans, the clear data function does not appear to be 100% effective. I noticed that after two or three, the scrolling log display would sometimes stop displaying. Or the scrolling time graph on the log page would simply not be drawn, leaving a large blank space in the lower right corner. For the most part, exiting the W3AF gui app and restarting after each run seem to clear out whatever cruft was laying around.
  • In my attempt to be productive, i was configuring multiple scan configs for different targets – while it was running a long scan on a current configuration. It basically trashed the current run and no useful results were produced. So once again, exiting and restarting the app resolved whatever state it thought it was in.
  • Check your reporting / output plugin. Essentially nothing is enabled. I created a ~/w3af/reports directory to contain the results, enabled the xml, csv and html reports to point to that directory. Note – even with verbose turned off, there is a lot of data.
  • Although the app can produce a nice pictoral graph of the network (look under results / URLs tab), it does not save or provide a method to save. Use ‘screenshot’ to capture / save a region.
  • After a run is complete, save your reports off to a directory that matches the scan config – consecutive runs will overwrite the files.
  • In order to filter results in the HTML report, open it and search for “Severity: low” , “Severity: medium” or “Severity: high” to count / find issues.

Summary – W3af is fairly solid as a webapp mapper / scanner, and installs easily per the directions on w3af homepage in less than 30 minutes. It is not well suited for targeting multiple targets concurrently.

Links W3AF homepage

Pentesting: Day 1

Occasionally I get the opportunity to do something interesting, and today was one of those days. As part of a customer engagement, we are scanning parts of their public interfaces for vulnerabilities. We are stopping short of actual pen-testing, but are going through the discovery and audit phases to identify vulnerabilities. Last week I had identified two tools I wanted to look at; W3AF and OpenVAS. A critical point – the services we are scanning are web apps / web services. Today was a big day because the customer provided me with an email indicating that i was authorized to scan a certain set of their addresses from a specific address of mine. Not quite a Get Out of Jail Card, but close. This means I can go in with my scanner and be as noisy as I want to be without being too concerned about the FBI showing up at my door.

In any case, I installed and configured both of them today from respective sources (ie http://w3af.org/ and http://www.openvas.org/). Initial impressions are that OpenVAS looks and acts like it could support a continuous monitoring program on a network in a fairly automated manner (post setup), and could scale well. It provided a broad range of network port scanning capabilities against a large number of configured targets – all individually configurable. The W3AF application on the other hand is focused on web-apps vulnerabilities, and works best against a single URL / IP address or target.

Regarding the results, the OpenVAS was very fast (i.e. less than 5 minutes) to scan the target but produced no significant vulnerabilities. This can be contrasted with W3AF which took about an hour to run the OWASP Top 10 Scan and produced a 100+ low / moderate priority findings.

Bottom line – If you considering internal continuous monitoring for your network OpenVAS has a low pain threshold to implement. If on the other hand you are looking to protect your Internet based webapp – regular scans with W3AF is a better tool.