w3af - Plugins

This is the list of plugins that are available in w3af, if you have any comments or feature requests, don't hesitate to send them to the w3af mailing list. A list of features provided by the framework is available here.

audit
    xsrf
    htaccessMethods
    sqli
    sslCertificate
    fileUpload
    mxInjection
    generic
    localFileInclude
    unSSL
    xpath
    osCommanding
    remoteFileInclude
    dav
    ssi
    eval
    buffOverflow
    xss
    xst
    blindSqli
    formatString
    preg_replace
    globalRedirect
    LDAPi
    phishingVector
    frontpage
    responseSplitting

bruteforce
    formAuthBrute
    basicAuthBrute

grep
    dotNetEventValidation
    pathDisclosure
    codeDisclosure
    blankBody
    metaTags
    motw
    privateIP
    directoryIndexing
    svnUsers
    ssn
    fileUpload
    strangeHTTPCode
    hashFind
    getMails
    httpAuthDetect
    wsdlGreper
    newline
    passwordProfiling
    domXss
    ajax
    findComments
    httpInBody
    strangeHeaders
    lang
    errorPages
    collectCookies
    strangeParameters
    error500
    objects
    creditCards
    oracle
    feeds

evasion
    shiftOutShiftInBetweenDots
    backSpaceBetweenDots
    rndPath
    selfReference
    modsecurity
    rndCase
    rndHexEncode
    reversedSlashes
    fullWidthEncode
    rndParam

attack
    sqlmap
    osCommandingShell
    xssBeef
    localFileReader
    rfiProxy
    remoteFileIncludeShell
    davShell
    eval
    fileUploadShell
    sql_webshell

output
    htmlFile
    xmlFile
    textFile
    console
    gtkOutput

mangle
    sed

discovery
    webDiff
    sitemapReader
    detectReverseProxy
    phpEggs
    spiderMan
    urlFuzzer
    userDir
    findvhost
    fingerprint_os
    findBackdoor
    wordnet
    zone_h
    performance_testing
    robotsReader
    sharedHosting
    afd
    allowedMethods
    phpinfo
    importResults
    findCaptchas
    serverStatus
    oracleDiscovery
    yahooSiteExplorer
    frontpage_version
    detectTransparentProxy
    dnsWildcard
    webSpider
    fingerMSN
    googleSets
    digitSum
    halberd
    domain_dot
    MSNSpider
    fingerprint_WAF
    serverHeader
    wsdlFinder
    pykto
    crossDomain
    fingerPKS
    googleSpider
    hmap
    phishtank
    fingerGoogle
    dotNetErrors
    archiveDotOrg
    ghdb

audit

xsrf

        This plugin finds Cross Site Request Forgeries (XSRF) vulnerabilities.

        The simplest type of XSRF is checked, to be vulnerable, the web application must have sent a permanent
        cookie, and the aplicacion must have query string parameters.

top

htaccessMethods

        This plugin finds .htaccess misconfigurations in the LIMIT configuration parameter.

        This plugin is based on a paper written by Frame and madjoker from
        kernelpanik.org. The paper is called : "htaccess: bilbao method exposed"

        The idea of the technique (and the plugin) is to exploit common misconfigurations
        of .htaccess files like this one:

            <LIMIT GET>
                require valid-used
            </LIMIT>

        The configuration only allows authenticated users to perform GET requests, but POST
        requests (for example) can be performed by any user.

top

sqli

        This plugin finds SQL injections. To find this vulnerabilities the plugin sends the string d'z"0 to every
        injection point, and searches for SQL errors in the response body.

top

sslCertificate

        This plugin audits SSL certificate parameters.

        Note: It's only usefull when testing HTTPS sites.

top

fileUpload

        This plugin will try to expoit insecure file upload forms.

        One configurable parameter exists:
            - extensions

        The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications
        verify the extension of the file being uploaded, if special extensions are required, they can be added here.

        Some web applications check the contents of the files being uploaded to see if they are really what their extension
        is telling. To bypass this check, this plugin uses file templates located at "plugins/audit/fileUpload/", this templates
        are valid files for each extension that have a section ( the comment field in a gif file for example ) that can be replaced
        by scripting code ( PHP, ASP, etc ).

        After uploading the file, this plugin will try to find it on common directories like "upload" and "files" on every know directory.
        If the file is found, a vulnerability exists.

top

mxInjection

        This plugin will find MX injections. This kind of web application errors are mostly seen in
        webmail software. The tests are simple, for every injectable parameter a string with
        special meaning in the mail server is sent, and if in the response I find a mail server error,
        a vulnerability was found.

top

generic

        This plugin finds all kind of bugs without using a fixed database of errors. This is a new
        kind of methodology that solves the main problem of most web application security scanners.

top

localFileInclude

        This plugin will find local file include vulnerabilities. This is done by sending to all injectable parameters
        file paths like "../../../../../etc/passwd" and searching in the response for strings like "root:x:0:0:".

top

unSSL

        This plugin verifies that URL's that are available using HTTPS aren't available over an insecure
        HTTP protocol.

        To detect this, the plugin simply requests "https://abc/a.asp" and "http://abc.asp" and if both are
        equal, a vulnerability is found.

top

xpath

        This plugin finds XPATH injections.

        To find this vulnerabilities the plugin sends the string "d'z'0" to every injection point,
        and searches the response for XPATH errors.

top

osCommanding

        This plugin will find OS commanding vulnerabilities. The detection is performed using two different techniques:
            - Time delays
            - Writing a known file to the HTML output

        With time delays, the plugin sends specially crafted requests that, if the vulnerability is present, will delay
        the response for 5 seconds (ping -c 5 localhost).

        When using the second technique, the plugin sends specially crafted requests that, if the vulnerability is present,
        will print the content of a known file (i.e. /etc/passwd) to the HTML output

        This plugin has a rather long list of command separators, like ";" and "`" to try to match all programming languages,
        platforms and installations.

top

remoteFileInclude

        This plugin finds remote file inclusion vulnerabilities.

        Three configurable parameters exist:
            - listenAddress
            - listenPort
            - usew3afSite

        There are two ways of running this plugin, one is the most common one, by using the w3af
        site ( w3af.sf.net ) as the place from where the target web application will fetch the
        remote file. The other way to test for inclusion is to run a webserver on the local machine
        that is performing the scan. The second option is configured using the "listenAddress" and
        "listenPort" parameters.

top

dav

        This plugin finds WebDAV configuration errors. These errors are generally server configuration errors rather
        than a web application errors. To check for vulnerabilities of this kind, the plugin will try to PUT a file on a directory
        that has WebDAV enabled, if the file is uploaded successfully, then we have found a bug.

top

ssi

This plugin finds server side include (SSI) vulnerabilities.

top

eval

        This plugin finds eval() input injection vulnerabilities. These vulnerabilities are found in
        web applications, when the developer passes user controled data to the eval() function.
        To check for vulnerabilities of this kind, the plugin sends an echo function with two
        randomized strings as a parameters (echo 'abc' + 'xyz') and if the resulting HTML matches
        the string that corresponds to the evaluation of the expression ('abcxyz') then a
        vulnerability has been found.

top

buffOverflow

        This plugin finds buffer overflow vulnerabilities.

        Users have to know that detecting a buffer overflow vulnerability will be only possible if the server is configured
        to return errors, and the application is developed in cgi-c or some other language that allows the programmer to
        do their own memory management.

top

xss

        This plugin finds Cross Site Scripting (XSS) vulnerabilities.

        Two configurable parameters exist:
            - checkStored
            - numberOfChecks

        To find XSS bugs the plugin will send a set of javascript strings to every parameter, and search for that input in
        the response. The parameter "checkStored" configures the plugin to store all data sent to the web application
        and at the end, request all pages again searching for that input; the numberOfChecks determines how many
        javascript strings are sent to every injection point.

top

xst

        This plugin finds the Cross Site Tracing (XST) vulnerability.

        No Configurable Paramaters.

        The TRACE method echos back requests sent to it. This plugin sends a
        TRACE request to the server and if the request is echoed back then XST
        is confirmed.

top

blindSqli

        This plugin finds blind SQL injections.

        Two configurable parameters exist:
            - equAlgorithm
            - equalLimit

        The equAlgorithm parameter configures how the comparison of pages is done, the options for equAlgorithm are:
            - stringEq
            - setIntersection

        The classic way of matching two strings is "stringEq" , in Python this is "string1 == string2" , but other ways have been
        developed for sites that have changing banners and random data on their HTML response. "setIntersection" will create
        two different sets with the words inside the two HTML responses, and do an intersection. If number of words that are
        in the intersection set divided by the total words are more than "equalLimit", then the responses are equal.

top

formatString

        This plugin finds format string bugs.

        Users have to know that detecting a format string vulnerability will be only possible if the server is configured
        to return errors, and the application is developed in cgi-c or some other language that allows the programmer to
        do this kind of mistakes.

top

preg_replace

        This plugin will find preg_replace vulnerabilities. This PHP function is vulnerable when the user
        can control the regular expression or the content of the string being analyzed and the regular expression
        has the 'e' modifier.

        Right now this plugin will only find preg_replace vulnerabilities when PHP is configured to show errors,
        but a new version will find "blind" preg_replace errors.

top

globalRedirect

        This plugin finds global redirection vulnerabilities. This kind of bugs are used for
        phishing and other identity theft attacks. A common example of a global redirection
        would be a script that takes a "url" parameter and when requesting this page, a HTTP
        302 message with the location header to the value of the url parameter is sent in the
        response.

        Global redirection vulnerabilities can be found in javascript, META tags and 302 / 301
        HTTP return codes.

top

LDAPi

        This plugin will find LDAP injections by sending a specially crafted string to every
        parameter and analyzing the response for LDAP errors.

top

phishingVector

        This plugins finds phishing vectors in web applications, for example, a bug of this type is found
        if I request the URL "http://site.tld/asd.asp?info=http://attacker.tld" and in the response
        HTML the web application sends:
            ...
            <iframe src="http://attacker.tld">
            ....

top

frontpage

        This plugin audits the frontpage extension configuration by trying to upload a file to the remote server
        using the author.dll script provided by FrontPage.

top

responseSplitting

        This plugin will find response splitting vulnerabilities.

        The detection is done by sending "w3af\r\nVulnerable: Yes" to every injection point, and reading the
        response headers searching for a header with name "Vulnerable" and value "Yes".

top

bruteforce

formAuthBrute

        This plugin bruteforces form authentication logins.

        Nine configurable parameters exist:
            - usersFile
            - stopOnFirst
            - passwdFile
            - passEqUser
            - useMailUsers
            - useSvnUsers
            - useMails
            - useProfiling
            - profilingNumber

        This plugin will take users from the file pointed by "usersFile", mail users found on the site ( if "useMailUsers" is
        set to True ), mails found on the site ( if "useMails" is set to True ), and svn users found on the site ( if "useSvnUsers"
        is set to True ).

        This plugin will take passwords from the file pointed by "passwdFile" and the result of the password profiling plugin
        ( if "useProfiling" is set to True). The profilingNumber sets the number of results from the password profiling plugin
        to use in the password field.

        The "stopOnFirst" parameter indicates if the bruteforce will stop when finding the first valid credentials or not.

top

basicAuthBrute

        This plugin bruteforces basic authentication logins.

        Nine configurable parameters exist:
            - usersFile
            - stopOnFirst
            - passwdFile
            - passEqUser
            - useMailUsers
            - useSvnUsers
            - useMails
            - useProfiling
            - profilingNumber

        This plugin will take users from the file pointed by "usersFile", mail users found on the site ( if "useMailUsers" is
        set to True ), mails found on the site ( if "useMails" is set to True ), and svn users found on the site ( if "useSvnUsers"
        is set to True ).

        This plugin will take passwords from the file pointed by "passwdFile" and the result of the password profiling plugin
        ( if "useProfiling" is set to True). The profilingNumber sets the number of results from the password profiling plugin
        to use in the password field.

        The "stopOnFirst" parameter indicates if the bruteforce will stop when finding the first valid credentials or not.

top

grep

dotNetEventValidation

        ASP.NET implements a method to verify that every postback comes from the corresponding control, which is called EventValidation.
        In some cases the developers disable this kind of verifications by adding EnableEventValidation="false" to the .aspx file header, or
        in the web.config/system.config file.

        This plugin finds pages that have event validation disabled. In some cases, if you analyze the logic of the program and event validation
        is disabled, you'll be able to bypass authorizations or some other controls.

top

pathDisclosure

        This plugin greps every page for path disclosure vulnerabilities like:

            - C:\wwwiles\...
            - /var/www/htdocs/...

        The results are saved to the KB, and used by all the plugins that need to know the location
        of a file inside the remote web server.

top

codeDisclosure

        This plugin greps every page in order to find code disclosures. Basically it greps for
        '<?.*?>' and '<%.*%>' using the re module and reports findings.

        Code disclosures are usually generated due to web server misconfigurations, or wierd web
        application "features".

top

blankBody

        This plugin finds HTTP responses with a blank body, these responses may indicate errors or
        misconfigurations in the web application or the web server.

top

metaTags

        This plugin greps every page for interesting meta tags. Some interesting meta tags are the ones
        that contain : 'microsoft', 'visual', 'linux' .

top

motw

        This plugin will specify whether the page is compliant against the MOTW standard. The standard is explained in:
            - http://msdn2.microsoft.com/en-us/library/ms537628.aspx

        This plugin tests if the length of the URL specified by "(XYZW)" is lower, equal or greater than the length of the
        URL; and also reports the existance of this tag in the body of all analyzed pages.

        One configurable parameter exists:
            - withoutMOTW

        If "withoutMOTW" is enabled, the plugin will show all URLs that don't contain a MOTW.

top

privateIP

This plugin greps every page body and headers for private IP addresses.

top

directoryIndexing

This plugin greps every response directory indexing problems.

top

svnUsers

        This plugin greps every page for users of the versioning system. Sometimes the HTML pages are
        versioned using CVS or SVN, if the header of the versioning system is saved as a comment in this page,
        the user that edited the page will be saved on that header and will be added to the knowledgeBase.

top

ssn

        This plugins scans every response page to find the strings that are likely to be
        the US social security numbers.

top

fileUpload

This plugin greps every page for forms with file upload capabilities.

top

strangeHTTPCode

Analyze HTTP response codes sent by the remote web application and report uncommon findings.

top

hashFind

This plugin identifies hashes in HTTP responses.

top

getMails

        This plugin greps every page for mails, this mails can be later used for bruteforce plugins and are
        of great value when doing a complete penetration test.

top

httpAuthDetect

        This plugin greps every page and finds responses that indicate that the resource requires
        authentication.

top

wsdlGreper

        This plugin greps every page for WSDL definitions.

        Not all wsdls are found appending "?WSDL" to the url like discovery.wsdlFinder
        plugin does, this grep plugin will find some wsdl's that arent found by the
        discovery plugin.

top

newline

        This plugin identifies the type of newline used in every page. At the end, it will report if a page was
        generated using a Windows, Linux or Mac editor; or maybe a combination of two.

        Note: I dont know if this plugin has any real use... but it was one of a group of many ideas...
        maybe sometime this rather useless plugin will raise from the dead and tell us what it's purpose is.

top

passwordProfiling

        This plugin creates a list of possible passwords by reading responses and counting the most
        common words.

top

domXss

        This plugin greps every page for traces of DOM XSS. An interesting paper about DOM XSS
        can be found here:
            - http://www.webappsec.org/projects/articles/071105.shtml

top

ajax

This plugin greps every page for traces of Ajax code.

top

findComments

        This plugin greps every page for comments, special comments like the ones containing the words
        "password" or "user" are specially reported.

top

httpInBody

        This plugin searches for HTTP responses that contain other HTTP request/responses in their response body. This
        situation is mostly seen when programmers enable some kind of debugging for the web application, and print the
        original request in the response HTML as a comment.

        No configurable parameters exist.

top

strangeHeaders

        This plugin greps all headers for non-common headers. This could be usefull to identify special modules
        and features added to the server.

top

lang

        This plugin reads N pages and determines the language the site is written in. This is done
        by saving a list of prepositions in different languages, and counting the number of matches
        on every page.

top

errorPages

        This plugin scans every page for error pages, and if possible extracts the web server
        or programming framework information.

top

collectCookies

        This plugin greps every response for session cookies that the web application sends
        to the client, and analyzes them in order to identify potential vulnerabilities, the
        remote web application framework and other interesting information.

top

strangeParameters

        This plugin greps all responses and tries to identify URIs with strange parameters, some examples of strange
        parameters are:
            - http://a/?b=method(a,c)
            - http://a/?c=x|y|z|d

top

error500

        This plugin greps every page for error 500 pages that havent been catched by other plugins. By enabling this,
        you are enabling a "safety net" that will catch all bugs that havent been catched by other plugins.

top

objects

This plugin greps every page for applets and other types of objects.

top

creditCards

        This plugins scans every response page to find the strings that are likely to be
        credit card numbers. It can be tested against the following URL:
            - https://www.paypal.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm

top

oracle

This plugin greps every page for oracle messages, versions, etc.

top

feeds

        This plugin greps every page and finds rss, atom, opml feeds on them. This may be usefull for
        determining the feed generator and with that, the framework being used. Also this will be helpfull
        for testing feed injection.

top

evasion

shiftOutShiftInBetweenDots

        This evasion plugin insert between dots shift-in and shift-out control
        characters which are cancelled each other when they are below so some
        ".." filters are bypassed

        Example:
            Input:     '../../../../../../../../etc/passwd'
            Output:     '.%0E%0F./.%0E%0F./.%0E%0F./.%0E%0F./.%0E%0F./.%0E%0F./.%0E%0F./.%0E%0F./etc/passwd'

top

backSpaceBetweenDots

        This evasion plugin insert between dots an 'A' and a backspace control
        character which are cancelled each other when they are below so some
        ".." filters are bypassed

        Example:
            Input:     '../../../../../../../../etc/passwd'
            Output:     '.%41%08./.%41%08./.%41%08./.%41%08./.%41%08./.%41%08./.%41%08./.%41%08./etc/passwd'

top

rndPath

        This evasion plugin adds a random path to the URI.

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/aflsasfasfkn/../bar/foo.asp'

top

selfReference

        This evasion plugin adds a directory self reference.

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/bar/./foo.asp'

top

modsecurity

        This evasion plugin performs a bypass for mod_security version 2.1.0 or less here:
            - http://www.php-security.org/MOPB/BONUS-12-2007.html

        Important: The evasion only works for postdata.

        Example:
            Postdata Input:     'a=b'
            Postdata Output :    '\x00a=b'

top

rndCase

        This evasion plugin changes the case of random letters.

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/BAr/foO.Asp'

top

rndHexEncode

        This evasion plugin adds random hex encoding.

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/b%61r/%66oo.asp'

top

reversedSlashes

        This evasion plugin changes the slashes from / to \ .

        Example:
            Input:     '/bar/foo.asp'
            Output :    '\bar\foo.asp'

top

fullWidthEncode

        This evasion plugin does full width encoding as described here:
            - http://www.kb.cert.org/vuls/id/739224

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/b%uFF61r/%uFF66oo.asp'

top

rndParam

        This evasion plugin adds a random parameter.

        Example:
            Input:     '/bar/foo.asp'
            Output :    '/bar/foo.asp?alsfkj=f09'

top

attack

sqlmap

        This plugin exploits [blind] sql injections.

        The original sqlmap program was coded by Bernardo Damele and Daniele Bellucci, many thanks to both of
        them.

        Six configurable parameters exist:
            - url
            - method
            - data
            - injvar
            - equAlgorithm
            - equalLimit

top

osCommandingShell

        This plugin exploits os commanding vulnerabilities and returns a remote shell.

        Seven configurable parameters exist:
            - changeToPost
            - url
            - method
            - injvar
            - data
            - separator
            - generateOnlyOne

top

xssBeef

        This plugin is an interface to aid with the exploitation of XSS vulnerabilities using beEF.

        Two configurable parameters exist:
            - beefURL
            - beefPasswd

        Please note that this plugin is only a "caller" to beef and:
            - You have to install beef
            - After running this plugin you have to infect other users with the URL provided by w3af
            - You have to open a browser and point it to your beef installation in order to manage zombies

top

localFileReader

        This plugin exploits local file inclusion and let's you "cat" every file you want.
        Remember, if the file in being read with an "include()" statement, you wont be able
        to read the source code of the script file, you will end up reading the result of the
        script interpretation. You can also use the "list" command to list all files inside
        the known paths.

        Six configurable parameters exist:
            - changeToPost
            - url
            - method
            - data
            - generateOnlyOne

top

rfiProxy

        This plugin exploits remote file inclusion vulnerabilities and returns a proxy object, proxy
        objects listen on a local port, and create a tunnel from the local machine to the remote
        end, where the connections are actually created.

        Five configurable parameters exist:
            - listenAddress
            - proxyPort
            - httpdPort
            - proxyPublicIP
            - rfiConnGenerator

top

remoteFileIncludeShell

        This plugin exploits remote file inclusion vulnerabilities and returns a remote shell. The
        exploitation can be done using a more classic approach, in which the file to be included
        is hosted on a webserver that the plugin runs, or a nicer approach, in which a XSS bug on
        the remote site is used to generate the remote file to be included. Both ways work and
        return a shell, but the one that uses XSS will work even when a restrictive firewall is
        configured at the remote site.

        Four configurable parameters exist:
            - listenAddress
            - listenPort
            - useXssBug
            - generateOnlyOne

top

davShell

        This plugin exploits webDAV misconfigurations and returns a shell. It's rather simple, using the dav method
        "PUT" the plugin uploads the corresponding webshell ( php, asp, etc. ) verifies that the shell is working, and if
        everything is working as expected the user can start typing commands.

        One configurable parameter exists:
            - URL (only used in fastExploit)

top

eval

        This plugin exploits eval() vulnerabilities and returns a remote shell.

        Six configurable parameters exist:
            - changeToPost
            - url
            - method
            - injvar
            - data
            - generateOnlyOne

top

fileUploadShell

        This plugin exploits insecure file uploads and returns a shell. It's rather simple, using a form
        the plugin uploads the corresponding webshell ( php, asp, etc. ) verifies that the shell is working, and if
        everything is working as expected the user can start typing commands.

        No configurable parameters exist.

top

sql_webshell

        This plugin exploits [blind] sql injections.

        The original sql_webshell program was coded by Bernardo Damele and Daniele Bellucci, many thanks to both of
        them.

        Seven configurable parameters exist:
            - url
            - method
            - data
            - injvar
            - equAlgorithm
            - equalLimit

top

output

htmlFile

        This plugin writes the framework messages to an HTML report file.

        Four configurable parameters exist:
            - fileName
            - verbose

        If you want to write every HTTP request/response to a text file, you should use the
        textFile plugin.

top

xmlFile

        This plugin writes the framework messages to an XML report file.

        Four configurable parameters exist:
            - fileName

top

textFile

        This plugin writes the framework messages to a text file.

        Four configurable parameters exist:
            - fileName
            - httpFileName
            - verbose
            - showCaller

top

console

        This plugin writes the framework messages to the console.

        One configurable parameter exists:
            - verbose

top

gtkOutput

        Saves messages to kb.kb.getData('gtkOutput', 'queue'), messages are saved in the form of
         objects. This plugin was created to be able to communicate with the gtkUi and should be
         enabled if you are using it.

top

mangle

sed

        This plugin is a stream editor for web requests and responses.

        Three configurable parameters exist:
            - priority
            - expressions
            - fixContentLen

        Stream edition expressions are strings that tell the sed plugin what to change. Sed plugin
        uses regular expressions, some examples:
            - qh/User/NotLuser/
                This will make sed search in the the re[q]uest [h]eader for the string User and
                replace it with NotLuser.

            - sb/[fF]orm/form
                This will make sed search in the re[s]ponse [b]ody for the strings form or Form
                and replace it with form.

        Multiple expressions can be specified separated by commas.

top

discovery

webDiff

        This plugin tries to do a diff of two directories, a local and a remote one. The idea is to
        mimic the functionality implemented by the linux command "diff" when invoced with two
        directories.

        Four configurable parameter exist:
            - localDir
            - remotePath
            - banUrl
            - content

        This plugin will read the file list inside "localDir", and for each file it will request the
        same filename from the "remotePath", matches and failures are recorded and saved.
        The content of both files is checked only if "content" is setted to True and the file
        extension aint in the "banUrl" list.

        The "banUrl" list should be used to ban script extensions like ASP, PHP, etc.

top

sitemapReader

        This plugin searches for the sitemap.xml file, and parses it.

        The sitemap.xml file is used by the site administrator to give the Google crawler more
        information about the site. By parsing this file, the plugin finds new URLs and other
        usefull information.

top

detectReverseProxy

        This plugin tries to determine if the remote end has a reverse proxy installed.

        The procedure used to detect reverse proxies is to send a request to the remote server and
        analyze the response headers, if a Via header is found, chances are that the remote site has
        a reverse proxy.

top

phpEggs

        This plugin tries to find the documented easter eggs that exist in PHP and identify
        the remote PHP version using the easter egg content. The easter eggs that this plugin
        verifies are:

            - http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 ( PHP Credits )
            - http://php.net/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 ( PHP Logo )
            - http://php.net/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 ( Zend Logo )
            - http://php.net/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 ( PHP Logo 2 )

top

spiderMan

        This plugin is a local proxy that can be used to give the framework knowledge about the web
        application when it has a lot of client side code like Flash or Java applets. Whenever a w3af needs to
        test an application with flash or javascript, the user should enable this plugin and use a web browser
        to navigate the site using spiderMan proxy.

        The proxy will extract information from the user navigation and generate the necesary injection points for the
        audit plugins.

        Another feature of this plugin is to save the cookies that are sent by the web application, in order to be able to
        use them in other plugins. So if you have a web application that has a login with cookie session management
        you should enable this plugin, do the login through the bworser and then let the other plugins spider the rest
        of the application for you. Important note: If you enable webSpider, you should ignore the "logout" link.

        Two configurable parameters exist:
            - listenAddress
            - listenPort

top

urlFuzzer

        This plugin will try to find new URL's based on the input. If the input is for example:
            - http://a/a.html

        The plugin will request:
            - http://a/a.html.tgz
            - http://a/a.tgz
            - http://a/a.zip
            ... etc

        If the response is different from the 404 page (whatever it may be, automatic detection is
        performed), then we have found a new URL. This plugin searches for backup files, source code
        , and other common extensions.

        One configurable parameter exist:
            - fuzzImages

top

userDir

        This plugin will try to find user home directories based on the knowledge gained by other
        plugins, and an internal knowledge base. For example, if the target URL is:
            - http://test/

        And other plugins found this valid email accounts:
            - test@test.com
            - f00b4r@test.com

        This plugin will request:
            - http://test/~test/
            - http://test/test/
            - http://test/~f00b4r/
            - http://test/f00b4r/

        If the response is not a 404 error, then we have found a new URL. And confirmed the
        existance of a user in the remote system. This plugin will also identify the remote operating
        system and installed applications based on the user names that are available.

top

findvhost

        This plugin uses the HTTP Host header to find new virtual hosts. For example, if the
        intranet page is hosted in the same server that the public page, and the web server
        is misconfigured, this plugin will discover that virtual host.

        Please note that this plugin doesn't use any DNS technique to find this virtual hosts.

top

fingerprint_os

        This plugin fingerprints the remote web server and tries to determine the
        Operating System family (Windows, Unix, etc.).

        The fingerprinting is (at this moment) really trivial, because it only
        uses one technique: windows path separator in the URL. For example, if the
        input URL is http://host.tld/abc/def.html then the plugin verifies if the
        response for that resource and the http://host.tld/abc\def.html is the same;
        which indicates that the server is running Windows.

top

findBackdoor

        This plugin searches for web shells in the directories that are sent as input.
        For example, if the input is:
            - http://host.tld/w3af/f00b4r.php

        The plugin will perform these requests:
            - http://host.tld/w3af/c99.php
            - http://host.tld/w3af/cmd.php
            - http://host.tld/w3af/webshell.php
            ...

top

wordnet

        This plugin finds new URL's using wordnet.

        An example is the best way to explain what this plugin does, let's suppose that the input
        for this plugin is:
            - http://a/index.asp?color=blue

        The plugin will search the wordnet database for words that are related with "blue", and return for
        example: "black" and "white". So the plugin requests this two URL's:
            - http://a/index.asp?color=black
            - http://a/index.asp?color=white

        If the response for those URL's is not a 404 error, and has not the same body content, then we have
        found a new URI. The wordnet database is bundled with w3af, more information about wordnet can be
        found at : http://wordnet.princeton.edu/

top

zone_h

        This plugin searches the zone-h.org defacement database and parses the result. The information
        stored in that database is useful to know about previous defacements to the target website. In
        some cases, the defacement site provides information about the exploited vulnerability, which may
        be still exploitable.

top

performance_testing

top

robotsReader

        This plugin searches for the robots.txt file, and parses it.

        This file is used to as an ACL that defines what URL's a search engine can access.
        By parsing this file, you can get more information about the site.

top

sharedHosting

        This plugin tries to find out if the web application under test is stored in a shared hosting.
        The procedure is pretty simple, using MSN search engine, the plugin searches for "ip:1.2.3.4"
        where 1.2.3.4 is the IP address of the webserver.

        One configurable option exists:
            - resultLimit

        Fetch the first "resultLimit" results from the "ip:" MSN search.

top

afd

        This plugin sends custom requests to the remote web server in order to verify if the
        remote network is protected by an IPS or WAF.

        afd plugin detects both TCP-Connection-reset and HTTP level filters, the first one (usually
         implemented by IPS devices) is easy to verify: if afd requests the custom page and the GET
        method raises an exception, then its being probably blocked by an active filter. The second
        one (usually implemented by Web Application Firewalls like mod_security) is a little harder
         to verify: first afd requests a page without adding any offending parameters, afterwards it
        requests the same URL but with a faked parameter and customized values; if the response
        bodies differ, then its safe to say that the remote end has an active filter.

top

allowedMethods

        This plugin finds what HTTP methods are enabled for a URI.

        Two configurable parameters exist:
            - execOneTime
            - reportDavOnly

        If "execOneTime" is set to True, then only the methods in the webroot are enumerated.
        If "reportDavOnly" is set to True, this plugin will only report the enabled method list if DAV methods
        have been found.

        The plugin will try to use the OPTIONS method to enumerate all available methods, if that fails, a manual
        enumeration is done, when doing a manual enumerationy.

top

phpinfo

        This plugin searches for the PHP Info file in all the directories and subdirectories that are sent as input
        and if it finds it will try to determine the version of the PHP.
        The PHP Info file holds information about the PHP and the system (version, environment, modules, extensions,
        compilation options, etc). For example, if the input is:
            - http://localhost/w3af/index.php

        The plugin will perform these requests:
            - http://localhost/w3af/phpinfo.php
            - http://localhost/phpinfo.php
            - ...
            - http://localhost/test.php?mode=phpinfo

top

importResults

        This plugin serves as an entry point for the results of other tools that search for URLs.
        The plugin reads an input file that is comma separated and holds the following data:
        HTTP-METHOD,URI,POSTDATA.

        One configurable parameter exists:
            - input_file

top

findCaptchas

        This plugin finds any CAPTCHA images that appear on a HTML document. The
        discovery is performed by requesting the document two times, and comparing the
        hashes of the images, if they differ, then they may be a CAPTCHA.

top

serverStatus

        This plugin fetches the server-status file used by Apache, and parses it. After parsing, new
        URLs are found, and in some cases, the plugin can deduce the existance of other domains
        hosted on the same server.

top

oracleDiscovery

        This plugin fetches some Oracle Application Server URLs and parses the information
        available on them.

top

yahooSiteExplorer

        This plugin finds new URL's using yaho site explorer. It will search for "domain.com" and do GET requests
        all the URL's found in the result.

        One configurable parameters exists:
            - resultLimit

top

frontpage_version

        This plugin searches for the FrontPage Server Info file and if it finds it will try to
        determine the version of the Frontpage Server Extensions. The file is located inside the
        web server webroot. For example:

            - http://localhost/_vti_inf.html

top

detectTransparentProxy

        This plugin tries to detect transparent proxies.

        The procedure for detecting transparent proxies is simple, I try to connect to a series of IP
        addresses, to the port 80, if all of them return an opened socket, then it's the proxy server
        responding.

top

dnsWildcard

        This plugin compares the contents of www.site.com and site.com and tries to verify if the target site
        has a DNS wildcard configuration or not.

top

webSpider

        This plugin is a classic web spider, it will request a URL and extract all links and forms
        from the response.

        Three configurable parameter exist:
            - onlyForward
            - ignoreRegex
            - followRegex
            - urlParameter

        IgnoreRegex and followRegex are commonly used to configure the webSpider to spider
        all URLs except the "logout" or some other more exciting link like "Reboot Appliance"
        that would make the w3af run finish without the expected result.

        By default ignoreRegex is 'None' (nothing is ignored) and followRegex is '.*' ( everything is
        followed ). Both regular expressions are normal regular expressions that are compiled with
        the python's re module.

top

fingerMSN

        This plugin finds mail addresses in MSN search engine.

        One configurable parameter exist:
            - resultLimit

        This plugin searches MSN for : "@domain.com", requests all search results and parses them in order
        to find new mail addresses.

top

googleSets

        This plugin finds new URL's using google sets.

        Two configurable parameters exist:
            - resultLimit
            - setResults

        An example is the best way to explain what this plugin does, let's suppose that the input
        for this plugin is:
            - http://a/index.asp?color=blue
            - http://a/index.asp?color=red

        The plugin will search google sets for a set that contains the words "blue" and "red", and the result
        will be: "black" and "white". So the plugin requests this two URL's:
            - http://a/index.asp?color=black
            - http://a/index.asp?color=white

        If the response for those URL's is not a 404 error, and has not the same body content, then we have
        found a new URI.

top

digitSum

        This plugin tries to find new URL's by changing the numbers that are present on it.

        Two configurable parameters exist:
            - fuzzImages
            - maxDigitSections

        An example will clarify what this plugin does, let's suppose that the input for this plugin is:
            - http://host.tld/index1.asp

        This plugin will request:
            - http://host.tld/index0.asp
            - http://host.tld/index2.asp

        If the response for the newly generated URL's is not an 404 error, then the new URL is a valid one that
        can contain more information and injection points.

top

halberd

This plugin tries to find if an HTTP Load balancer is present.

top

domain_dot

        This plugin finds misconfigurations in the virtual host settings by sending a specially crafted
        request with a trailing dot in the domain name. For example, if the input for this plugin is
        http://host.tld/ , the plugin will perform a request to http://host.tld./ .

        In some misconfigurations, the attacker is able to read the web application source code by
        requesting any of the files in the "dotted" domain like this:
            - http://host.tld/login.php

top

MSNSpider

        This plugin finds new URL's in MSN search engine.

        One configurable parameters exist:
            - resultLimit

        This plugin searches MSN for : "@domain.com", requests all search results and parses them in order
        to find new mail addresses.

top

fingerprint_WAF

        Try to fingerprint the Web Application Firewall that is running on the remote end.

        Please note that the detection of the WAF is performed by the discovery.afd plugin ( afd stands
        for Active Filter Detection).

top

serverHeader

        This plugin GETs the server header and saves the result to the knowledge base.

        Nothing strange, just do a GET request to the url and save the server headers
        to the kb. A smarter way to check the server type is with the hmap plugin.

top

wsdlFinder

        This plugin finds new web service descriptions and other web service related files
        by appending "?WSDL" to all URL's and checking the response.

top

pykto

        This plugin is a nikto port to python.
        It uses the scan_database file from nikto to search for new and vulnerable URL's.

        Seven configurable parameters exist:
            - updateScandb
            - cgiDirs
            - adminDirs
            - nukeDirs
            - dbFile
            - extra_db_file
            - mutateTests
            - genericScan

        This plugin reads every line in the scan_database (and extra_db_file) and based on the configuration
        ( "cgiDirs", "adminDirs" , "nukeDirs" and "genericScan" ) it performs requests to the remote server
        searching for common files that may contain vulnerabilities.

top

crossDomain

        This plugin searches for the crossdomain.xml file used by Flash, and parses it.

        The crossdomain.xml file is used by Flash as an ACL that defines what domains can access
        the domain that contains the file inside the webroot. By parsing this file, you can get more
        information about relationships between sites and insecure configurations.

top

fingerPKS

This plugin finds mail addresses in PGP PKS servers.

top

googleSpider

        This plugin finds new URL's using google. It will search for "site:domain.com" and do GET
        requests all the URL's found in the result.

        Two configurable parameters exist:
            - resultLimit
            - key

        Valid google API licenses are only the *old ones*.

top

hmap

        This plugin fingerprints the remote web server and tries to determine the
        server type, version and patch level. It uses fingerprinting, not just the Server
        header returned by remote server. This plugin is a wrapper for Dustin Lee's hmap.

        One configurable parameters exist:
            - genFpF

        If genFpF is set to True, a fingerprint file is generated. Fingerprint files are
        used to identify web servers, if you generate new files please send them
        to w3af.project@gmail.com so we can add them to the framework.

        One important thing to notice is that hmap connects directly to the remote web
        server, without using the framework HTTP configurations (like proxy or authentication).

top

phishtank

        This plugin searches the domain being tested in the phishtank database.
        If your site is in this database the chances are that you were hacked and your server is now being
        used in phishing attacks.

        Two configurable parameters exist:
            - dbFile
            - updateDB

top

fingerGoogle

        This plugin finds mail addresses in google.

        Two configurable parameters exist:
            - key
            - resultLimit
            - fastSearch

        If fastSearch is set to False, this plugin searches google for : "@domain.com", requests all
        search results and parses them in order to find new mail addresses. If the fastSearch
        configuration parameter is set to True, only mail addresses that appear on the google
        result page are parsed and added to the list, the result links are'nt visited.

        Valid google API licenses are only the *old ones*.

top

dotNetErrors

        Request specially crafted URLs that generate ASP.NET errors in order to gather information
        like the ASP.NET version. Some examples of URLs that generate errors are:
            - default|.aspx
            - default~.aspx

top

archiveDotOrg

        This plugin does a search in archive.org and parses the results. It then uses the results to find new
        URLs in the target site. This plugin is a time machine !

top

ghdb

        This plugin finds possible vulnerabilities using google.

        Three configurable parameters exist:
            - resultLimit
            - updateGHDB
            - key

        Using the google hack database released by jhonny, this plugin searches google for possible
        vulnerabilities in the domain being tested.

top