Web Application Attack and Audit Framework (w3af) has released a new stable version, and the project aims to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
"w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more."
In this latest release we find some important improvements include:
- Stable code base, an improvement that will reduce your w3af crashes to a minimum.
- Auto-Update, which will allow you to keep your w3af installation updated without any effort. Always get the latest and greatest from w3af contributors!
- Web Application Payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you’ll see in web application security! W3af created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server.
- PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting vulnerability try: “payload php_sca”, that will download the remote PHP code to your box and analyze it to find more vulnerabilities!
You can download Web Application Attack and Audit Framework on Sourceforge.
Contributed by SecTechno