w3af - Plugins
This is the list of plugins that are available in w3af, if you have any comments or feature requests, don't hesitate to send them to the w3af mailing list. A list of features provided by the framework is available here.
audit
xsrf
htaccessMethods
sqli
sslCertificate
fileUpload
mxInjection
generic
localFileInclude
unSSL
xpath
osCommanding
remoteFileInclude
dav
ssi
buffOverflow
xss
xst
blindSqli
formatString
preg_replace
globalRedirect
LDAPi
phishingVector
frontpage
responseSplitting
bruteforce
formAuthBrute
basicAuthBrute
grep
pathDisclosure
codeDisclosure
blankBody
metaTags
motw
privateIP
directoryIndexing
svnUsers
fileUpload
hashFind
getMails
httpAuthDetect
wsdlGreper
newline
passwordProfiling
domXss
ajax
findComments
strangeHeaders
lang
errorPages
collectCookies
strangeParameters
error500
objects
oracle
feeds
evasion
rndPath
selfReference
modsecurity
rndParam
rndHexEncode
reversedSlashes
fullWidthEncode
rndCase
output
htmlFile
webOutput
textFile
console
gtkOutput
mangle
sed
discovery
webDiff
sitemapReader
detectReverseProxy
phpEggs
spiderMan
localProxy
urlFuzzer
userDir
googleSpider
findBackdoor
wordnet
robotsReader
afd
allowedMethods
findCaptchas
serverStatus
oracleDiscovery
yahooSiteExplorer
detectTransparentProxy
mailer
dnsWildcard
webSpider
fingerMSN
googleSets
digitSum
halberd
sharedHosting
MSNSpider
serverHeader
googleSafeBrowsing
wsdlFinder
pykto
crossDomain
fingerPKS
findvhost
hmap
phishtank
fingerGoogle
detectWAF
web20Spider
archiveDotOrg
ghdb
audit
xsrf
This plugin will find Cross Site Request Forgeries (XSRF) vulnerabilities on the web application.
The simplest type of XSRF is checked, to be vulnerable, the web application must have sent a permanent
cookie, and the aplicacion must have query string parameters.
top
htaccessMethods
This plugin will find htaccess misconfiguration in the LIMIT configuration parameter.
This plugin is based on a paper written by Frame and madjoker from
kernelpanik.org. The paper is called : "htaccess: bilbao method exposed"
The idea of this method (and the plugin) is to exploit common misconfigurations
of .htaccess files like this one:
<LIMIT GET>
require valid-used
</LIMIT>
The misconfiguration above is that using other methods an unauthorized user
can still obtain the information from that directory.
top
sqli
This plugin finds SQL injections. To find this vulnerabilities the plugin sends the string d'z"0 to every
injection point, and searches for SQL errors in the response body.
top
sslCertificate
This plugin audits SSL certificate parameters.
Note: It's only usefull when testing HTTPS sites.
top
fileUpload
This plugin will try to expoit insecure file upload forms.
One configurable parameter exists:
- extensions
The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications
verify the extension of the file being uploaded, if special extensions are required, they can be added here.
Some web applications check the contents of the files being uploaded to see if they are really what their extension
is telling. To bypass this check, this plugin uses file templates located at "plugins/audit/fileUpload/", this templates
are valid files for each extension that have a section ( the comment field in a gif file for example ) that can be replaced
by scripting code ( PHP, ASP, etc ).
After uploading the file, this plugin will try to find it on common directories like "upload" and "files" on every know directory.
If the file is found, a vulnerability exists.
top
mxInjection
This plugin will find MX injections. This kind of web application errors are mostly seen in webmail software.
The tests are simple, for every injectable parameter a string with special meaning in the mail server is sent, and if
in the response I find a mail server error, a vulnerability was found.
top
generic
This plugin finds all kind of bugs without using a fixed database of errors. This is a new
kind of methodology that solves the main problem of most web application security scanners.
top
localFileInclude
This plugin will find local file include vulnerabilities. This is done by sending to all injectable parameters
file paths like "../../../../../etc/passwd" and searching in the response for strings like "root:x:0:0:".
top
unSSL
This plugin verifies that URL's that are available using HTTPS aren't available over an insecure
HTTP protocol.
To detect this, the plugin simply requests "https://abc/a.asp" and "http://abc.asp" and if both are
equal, a vulnerability is found.
top
xpath
This plugin finds XPATH injections.
To find this vulnerabilities the plugin sends the string "d'z'0" to every injection point, and searches the response
for XPATH errors.
top
osCommanding
This plugin will find OS commanding vulnerabilities. The detection is done by sending a command that if successfully executed
delays the response for 5 seconds (ping -c 5 localhost), and analyzing the response time. If the server responds in 5 seconds
or more, then the aplication has an OS commanding vulnerability.
This plugin has a rather long list of command separators, like ";" and "`" to try to match all programming languages, platforms and
installations.
top
remoteFileInclude
This plugin will find remote file inclusion vulnerabilities.
Five configurable parameters exist:
- rfiUrl
- rfiResult
- listenAddress
- listenPort
- usew3afSite
This plugin will send the value of "rfiUrl" to each injctable parameter, and search for "rfiResult" in the response.
There are two ways of running this plugin, one is the most common one, by using the w3af site ( w3af.sf.net ) as
the place from where the web application will fetch the remote file. The other way to test for inclusion is to run a
webserver on the machine that is sending the tests, this is configured using the "listenAddress" and "listenPort"
parameters.
Configuring True in "usew3afSite" will automatically configure all the other variables.
top
dav
This plugin will find webdav configuration errors. This errors are generally server configuration errors rather
than a web application error. To check for vulnerabilities of this kind, the plugin will try to PUT a file on a directory
that has webDav enabled, if the file is uploaded successfully, then we have found a bug.
top
ssi
This plugin finds server side include (SSI) vulnerabilities.
top
buffOverflow
This plugin will find buffer overflow vulnerabilities.
Users have to know that detecting a buffer overflow vulnerability will be only possible if the server is configured
to return errors, and the application is developed in cgi-c or some other language that allows the programmer to
do their own memory management.
top
xss
This plugin finds Cross Site Scripting (XSS) vulnerabilities.
Two configurable parameters exist:
- checkPersistent
- checkLevel
To find XSS bugs the plugin will send a set of java-scripts to every injection point, and search for that input in the
response. The parameter "checkPersistent" configures the plugin to store all data sent to the web application and
at the end, request all pages again searching for that input; the checkLevel determines how many javascript
strings are sent to every injection point.
top
xst
This plugin finds the Cross Site Tracing (XST) vulnerability.
No Configurable Paramaters.
The TRACE method echos back requests sent to it. This plugin sends a
TRACE request to the server and if the request is echoed back then XST
is confirmed.
top
blindSqli
This plugin finds blind sql injections.
Two configurable parameters exist:
- equAlgorithm
- equalLimit
The equAlgorithm parameter configures how the comparison of pages is done, the options for equAlgorithm are:
- stringEq
- setIntersection
- intelligentCut
The classic way of matching two strings is "stringEq" , in python this is "string1 == string2" , but other ways have been
developed for sites that have changing banners and random data on their HTML response. "setIntersection" will create
two different sets with the words inside the two HTML responses, and do an intersection. If number of words that are
in the intersection set divided by the total words are more than "equalLimit", then the responses are equal.
"intelligentCut" aint implemented yet.
top
formatString
This plugin will find format string bugs.
Users have to know that detecting a format string vulnerability will be only possible if the server is configured
to return errors, and the application is developed in cgi-c or some other language that allows the programmer to
do this kind of mistakes.
top
preg_replace
This plugin will find preg_replace vulnerabilities. This PHP function is vulnerable when the user
can control the regular expression or the content of the string being analyzed and the regular expression
has the 'e' modifier.
Right now this plugin will only find preg_replace vulnerabilities when PHP is configured to show errors,
but a new version will find "blind" preg_replace errors .
top
globalRedirect
This plugin will find global redirection bugs. This kind of bugs are used for phishing and other identity theft
attacks. A common example of a global redirection would be a script that takes a "url" parameter and when
requesting this page, a HTTP 302 message with the location header to the value of the url parameter is sent in
the response.
Global redirection bugs can be found in javascript, META tags and 302 / 301 HTTP return codes.
top
LDAPi
This plugin will find LDAP injections.
top
phishingVector
This plugins finds phishing vectors in web applications, for example, a bug of this type is found
if I request the URL "http://www.XXX.com/asd.asp?info=http://www.google.com" and in the response
HTML the web application sends:
...
<iframe src="http://www.google.com">
....
top
frontpage
This plugin will audits the frontpage extension configuration by trying to upload a file to the remote server using the author.dll program.
top
responseSplitting
This plugin will find response splitting vulnerabilities.
The detection is done by sending "w3af
Vulnerable: Yes" to every injection point, and reading the
response headers searching for a header with name "Vulnerable" and value "Yes".
top
bruteforce
formAuthBrute
This plugin bruteforces form authentication logins.
Nine configurable parameters exist:
- usersFile
- stopOnFirst
- passwdFile
- passEqUser
- useMailUsers
- useSvnUsers
- useMails
- useProfiling
- profilingNumber
This plugin will take users from the file pointed by "usersFile", mail users found on the site ( if "useMailUsers" is
set to True ), mails found on the site ( if "useMails" is set to True ), and svn users found on the site ( if "useSvnUsers"
is set to True ).
This plugin will take passwords from the file pointed by "passwdFile" and the result of the password profiling plugin
( if "useProfiling" is set to True). The profilingNumber sets the number of results from the password profiling plugin
to use in the password field.
The "stopOnFirst" parameter indicates if the bruteforce will stop when finding the first valid credentials or not.
top
basicAuthBrute
This plugin bruteforces basic authentication logins.
Nine configurable parameters exist:
- usersFile
- stopOnFirst
- passwdFile
- passEqUser
- useMailUsers
- useSvnUsers
- useMails
- useProfiling
- profilingNumber
This plugin will take users from the file pointed by "usersFile", mail users found on the site ( if "useMailUsers" is
set to True ), mails found on the site ( if "useMails" is set to True ), and svn users found on the site ( if "useSvnUsers"
is set to True ).
This plugin will take passwords from the file pointed by "passwdFile" and the result of the password profiling plugin
( if "useProfiling" is set to True). The profilingNumber sets the number of results from the password profiling plugin
to use in the password field.
The "stopOnFirst" parameter indicates if the bruteforce will stop when finding the first valid credentials or not.
top
grep
pathDisclosure
This plugin greps every page for traces of path disclosure problems.
top
codeDisclosure
This plugin greps every page in order to find code disclosures. Basically it greps for
'<?.*?>' and '<%.*%>' using the re module and reports findings.
top
blankBody
This plugin finds blank body responses, this responses may indicate errors and misconfigurations.
top
metaTags
This plugin greps every page for interesting meta tags. Some interesting meta tags are the ones
that contain : 'microsoft', 'visual', 'linux' .
top
motw
This plugin will specify whether the page is compliant against the MOTW standard. The standard is explained in:
- http://msdn2.microsoft.com/en-us/library/ms537628.aspx
This plugin tests if the length of the URL specified by "(XYZW)" is lower, equal or greater than the length of the
URL; and also reports the existance of this tag in the body of all analyzed pages.
One configurable parameter exists:
- withoutMOTW
If "withoutMOTW" is enabled, the plugin will show all URLs that don't contain a MOTW.
top
privateIP
This plugin greps every page body and headers for private IP addresses.
top
directoryIndexing
This plugin greps every response directory indexing problems.
top
svnUsers
This plugin greps every page for users of the versioning system. Sometimes the HTML pages are
versioned using CVS or SVN, if the header of the versioning system is saved as a comment in this page,
the user that edited the page will be saved on that header and will be added to the knowledgeBase.
top
fileUpload
This plugin greps every page for forms with file upload capabilities.
top
hashFind
This plugin identifies hashes in HTTP responses.
top
getMails
This plugin greps every page for mails, this mails can be later used for bruteforce plugins and are
of great value when doing a complete penetration test.
top
httpAuthDetect
This plugin greps every page and finds responses that indicate that the resource requires
authentication.
top
wsdlGreper
This plugin greps every page for WSDL definitions.
Not all wsdls are found appending "?WSDL" to the url like discovery.wsdlFinder
plugin does, this grep plugin will find some wsdl's that arent found by the
discovery plugin.
top
newline
This plugin identifies the type of newline used in every page. At the end, it will report if a page was
generated using a Windows, Linux or Mac editor; or maybe a combination of two.
Note: I dont know if this plugin has any real use... but it was one of a group of many ideas...
maybe sometime this rather useless plugin will raise from the dead and tell us what it's purpose is.
top
passwordProfiling
This plugin creates a list of possible passwords by reading responses and counting the most
common words.
top
domXss
This plugin greps every page for traces of DOM XSS. An interesting paper about DOM XSS
can be found here : http://www.webappsec.org/projects/articles/071105.shtml .
top
ajax
This plugin greps every page for traces of Ajax code.
top
findComments
This plugin greps every page for comments, special comments like the ones containing the words
"password" or "user" are specially reported.
top
strangeHeaders
This plugin greps all headers for non-common headers. This could be usefull to identify special modules
and features added to the server.
top
lang
This plugin reads N pages and determines the language the site is written in. This is done
by saving a list of prepositions in different languages, and counting the number of matches
on every page.
top
errorPages
This plugin greps every page for error Pages.
top
collectCookies
This plugin greps every response for session cookies that the web app sends to the client.
top
strangeParameters
This plugin greps all responses and tries to identify URIs with strange parameters, some examples of strange
parameters are:
- http://a/?b=method(a,c)
- http://a/?c=x|y|z|d
top
error500
This plugin greps every page for error 500 pages that havent been catched by other plugins. By enabling this,
you are enabling a "safety net" that will catch all bugs that havent been catched by other plugins.
top
objects
This plugin greps every page for applets and other types of objects.
top
oracle
This plugin greps every page for oracle messages, versions, etc.
top
feeds
This plugin greps every page and finds rss, atom, opml feeds on them. This may be usefull for
determining the feed generator and with that, the framework being used. Also this will be helpfull
for testing feed injection.
top
evasion
rndPath
This evasion plugin adds a random path to the URI.
Example:
Input: '/bar/foo.asp'
Output : '/aflsasfasfkn/../bar/foo.asp'
top
selfReference
This evasion plugin adds a directory self reference.
Example:
Input: '/bar/foo.asp'
Output : '/bar/./foo.asp'
top
modsecurity
This evasion plugin performs mod_security <= 2.1.0 bypass described here:
- http://www.php-security.org/MOPB/BONUS-12-2007.html
Important: The evasion only works for postdata.
Example:
Postdata Input: 'a=b'
Postdata Output : '�a=b'
top
rndParam
This evasion plugin adds a random parameter.
Example:
Input: '/bar/foo.asp'
Output : '/bar/foo.asp?alsfkj=f09'
top
rndHexEncode
This evasion plugin adds random hex encoding.
Example:
Input: '/bar/foo.asp'
Output : '/b%61r/%66oo.asp'
top
reversedSlashes
This evasion plugin changes the slashes from / to \ .
Example:
Input: '/bar/foo.asp'
Output : '\bar\foo.asp'
top
fullWidthEncode
This evasion plugin does full width encoding as described here:
- http://www.kb.cert.org/vuls/id/739224
Example:
Input: '/bar/foo.asp'
Output : '/b%uFF61r/%uFF66oo.asp'
top
rndCase
This evasion plugin changes the case of random letters.
Example:
Input: '/bar/foo.asp'
Output : '/BAr/foO.Asp'
top
output
htmlFile
This plugin writes the framework messages to an HTML report file.
Four configurable parameters exist:
- fileName
- httpFileName
- reportDebug
- verbosity
top
webOutput
This plugin writes the framework messages to a cache, where the webUI can then read the data
to show to the user in the client browser. This plugin is the "glue" that joins w3af and the client browser.
You should only enable it if you are running a webUI or testing something wierd.
Note: When you run w3af with the "-w" flag ( web ), this plugin is auto-enabled.
top
textFile
This plugin writes the framework messages to a text file.
Four configurable parameters exist:
- fileName
- httpFileName
- verbosity
- showCaller
top
console
This plugin writes the framework messages to the console.
top
gtkOutput
Saves messages to kb.kb.getData('gtkOutput', 'queue'), messages are saved in the form of objects. This plugin
was created to be able to communicate with the gtkUi and should be enabled if you are using it.
top
mangle
sed
This plugin is a stream editor for web requests and responses.
Three configurable parameters exist:
- priority
- expressions
- fixContentLen
Stream edition expressions are strings that tell the sed plugin what to change. Sed plugin uses regular expressions,
some examples:
- qh/User/NotLuser/ ; This will make sed search in the the re[q]uest [h]eader for the string User and replace it with NotLuser.
- sb/[fF]orm/form ; This will make sed search in the re[s]ponse [b]ody for the strings form or Form and replace it with form.
Multiple expressions can be specified separated by commas.
top
discovery
webDiff
This plugin tries to do a diff of two directories, a local and a remote one. The idea is to
mimic the functionality implemented by the linux command "diff" when invoced with two
directories.
Four configurable parameter exist:
- localDir
- remotePath
- banUrl
- content
This plugin will read the file list inside "localDir", and for each file it will request the same filename
from the "remotePath", matches and failures are recorded and saved. The content of both files is
checked only if "content" is setted to True and the file extension aint in the "banUrl" list.
The "banUrl" list should be used to ban script extensions like ASP, PHP, etc.
top
sitemapReader
This plugin searches for the sitemap.xml file, and parses it.
The sitemap.xml file is used by the site administrator to give the google search engine more information
about the site. By parsing this file, the plugin will find new URL's and other usefull information.
top
detectReverseProxy
This plugin tries to determine if the remote end has a reverse proxy installed.
The procedure used to detect reverse proxies is to send a request to the remote server and analyze the response headers,
if a Via header is found, chances are that the remote site has a reverse proxy.
top
phpEggs
This plugin tries to find the documented easter eggs that exist in PHP and identify
the remote PHP version using the easter egg content. The easter eggs that this plugin
verifies are:
- http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 ( PHP Credits )
- http://php.net/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 ( PHP Logo )
- http://php.net/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 ( Zend Logo )
- http://php.net/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 ( Easter Egg )
top
spiderMan
This plugin is a local proxy that can be used to give the framework knowledge about the web
application when it has a lot of client side code like Flash or Java applets. Whenever a w3af needs to
test an application with flash or javascript, the user should enable this plugin and use a web browser
to navigate the site using spiderMan proxy.
The proxy will extract information from the user navigation and generate the necesary injection points for the
audit plugins.
Another feature of this plugin is to save the cookies that are sent by the web application, in order to be able to
use them in other plugins. So if you have a web application that has a login with cookie session management
you should enable this plugin, do the login through the bworser and then let the other plugins spider the rest
of the application for you. Important note: If you enable webSpider, you should ignore the "logout" link.
Two configurable parameters exist:
- listenAddress
- listenPort
top
localProxy
This plugin is a local proxy ( like paros proxy ).
Seven configurable parameters exist:
- proxyPort
- proxyAddress
- fixContentLen
- interceptRegex
- interceptImages
- w3afMarker
- css
This plugin is usefull for manual testing, when this plugin is enabled a proxy server is runned, the
w3af user should configure that proxy on their browser and navigate the site changing the parameters
on the fly.
top
urlFuzzer
This plugin will try to find new URL's based on the input. If the input is for example:
- http://a/a.html
The plugin will request:
- http://a/a.html.tgz
- http://a/a.tgz
- http://a/a.zip
... etc
If the response is not a 404 error, then we have found a new URL. This plugin searches for
backup files, source code, and other common extensions.
One configurable parameter exist:
- fuzzImages
top
userDir
This plugin will try to find user home directories based on the knowledge gained by other plugins.
For example, if the target URL is:
- http://test/
And other plugins found this valid email accounts:
- test@test.com
- f00b4r@test.com
This plugin will request:
- http://test/~test/
- http://test/test/
- http://test/~f00b4r/
- http://test/f00b4r/
If the response is not a 404 error, then we have found a new URL. And confirmed the existance of a user
in the remote system.
top
googleSpider
This plugin finds new URL's using google. It will search for "site:domain.com" and do GEt requests
all the URL's found in the result.
Two configurable parameters exist:
- resultLimit
- key
top
findBackdoor
This plugin searches for web shells in the directories that are sent as input. For example, if the input is:
- http://localhost/w3af/webshells/f00b4r.php
The plugin will perform these requests:
- http://localhost/w3af/webshells/c99.php
- http://localhost/w3af/webshells/cmd.php
- http://localhost/w3af/webshells/webshell.php
...
top
wordnet
This plugin finds new URL's using wordnet.
An example is the best way to explain what this plugin does, let's suppose that the input
for this plugin is:
- http://a/index.asp?color=blue
The plugin will search the wordnet database for words that are related with "blue", and return for
example: "black" and "white". So the plugin requests this two URL's:
- http://a/index.asp?color=black
- http://a/index.asp?color=white
If the response for those URL's is not a 404 error, and has not the same body content, then we have
found a new URI. The wordnet database is bundled with w3af, more information about wordnet can be
found at : http://wordnet.princeton.edu/
top
robotsReader
This plugin searches for the robots.txt file, and parses it.
This file is used to as an ACL that defines what URL's a search engine can access. By parsing this file,
you can get more information about the site.
top
afd
This plugin sends custom requests to the remote web server in order to verify if the remote network
is protected by an IPS or WAF.
afd plugin detects both TCP-Connection-reset and HTTP level filters, the first one (usually implemented
by IPS devices) is easy to verify: if afd requests the custom page and the GET method raises an exception,
then its being probably blocked by an active filter. The second one (usually implemented by Web Application Firewalls
like mod_security) is a little harder to verify: first afd requests a page without adding any special parameters, afterwards it
requests the same URL but with a faked parameter and customized values; if the response bodies differ, then
its safe to say that the remote end has an active filter.
top
allowedMethods
This plugin finds what HTTP methods are enabled for a URI.
Two configurable parameters exist:
- execOneTime
- reportDavOnly
If "execOneTime" is set to True, then only the methods in the webroot are enumerated.
If "reportDavOnly" is set to True, this plugin will only report the enabled method list if DAV methods
have been found.
The plugin will try to use the OPTIONS method to enumerate all available methods, if that fails, a manual
enumeration is done, when doing a manual enumeration, the "DELETE" method ain't tested for safety.
top
findCaptchas
This plugin finds any CAPTCHA images that appear on a HTML document. The
discovery is performed by requesting the document two times, and comparing the
hashes of the images, if they differ, then they may be a CAPTCHA.
top
serverStatus
This plugin fetches the server-status file used by Apache, and parses it. After parsing, new URL's are
found, and in some cases, the plugin can deduce the existance of other domains hosted on the same
server.
top
oracleDiscovery
This plugin fetches some Oracle Application Server URLs and parses the information available on them.
top
yahooSiteExplorer
This plugin finds new URL's using yaho site explorer. It will search for "domain.com" and do GET requests
all the URL's found in the result.
One configurable parameters exists:
- resultLimit
top
detectTransparentProxy
This plugin tries to detect transparent proxies.
The procedure for detecting transparent proxies is simple, I try to connect to a series of IP addresses,
to the port 80, if all of them return an opened socket, then it's the proxy server responding.
top
mailer
This plugin tries to find new URLs by filling up forms that have an email input, receiving the email,
and then analyzing the email. This plugin also tries to identify the private IP address of the remote
web server using SMTP header analysis.
Two configurable parameter exist:
- mailDomain
- listenAddress
When this plugin fills up a form, it will do it like: someString@[mailDomain]
The listenAddress parameter is the IP address used by the SMTPd to receive emails.
top
dnsWildcard
This plugin compares the contents of www.site.com and site.com and tries to verify if the target site
has a DNS wildcard configuration or not.
top
webSpider
This plugin is a classic web spider, it will request a URL and extract all links and forms
from the response.
Three configurable parameter exist:
- onlyForward
- ignoreRegex
- followRegex
IgnoreRegex and followRegex are commonly used to configure the webSpider to spider
all URLs except the "logout" or some other more exciting link like "Reboot Appliance"
that would make the w3af run finish without the expected result.
By default ignoreRegex is 'None' (nothing is ignored) and followRegex is '.*' ( everything is
followed ). Both regular expressions are normal regular expressions that are compiled with
the python's re module.
top
fingerMSN
This plugin finds mail addresses in MSN search engine.
One configurable parameter exist:
- resultLimit
This plugin searches MSN for : "@domain.com", requests all search results and parses them in order
to find new mail addresses.
top
googleSets
This plugin finds new URL's using google sets.
Two configurable parameters exist:
- resultLimit
- setResults
An example is the best way to explain what this plugin does, let's suppose that the input
for this plugin is:
- http://a/index.asp?color=blue
- http://a/index.asp?color=red
The plugin will search google sets for a set that contains the words "blue" and "red", and the result
will be: "black" and "white". So the plugin requests this two URL's:
- http://a/index.asp?color=black
- http://a/index.asp?color=white
If the response for those URL's is not a 404 error, and has not the same body content, then we have
found a new URI.
top
digitSum
This plugin tries to find new URL's by changing the numbers that are present on it.
Two configurable parameters exist:
- fuzzImages
- maxDigitSections
An example will clarify what this plugin does, let's suppose that the input for this plugin is:
- http://a/index1.asp
This plugin will request:
- http://a/index0.asp
- http://a/index2.asp
If the response for the newly generated URL's ain't a 404 error, then the new URL is a valid one that
can contain more information and injection points.
top
halberd
This plugin tries to find if an HTTP Load balancer is present.
top
sharedHosting
This plugin tries to find out if the web application under test is stored in a shared hosting.
The procedure is pretty simple, using MSN search engine, the plugin searches for "ip:1.2.3.4"
where 1.2.3.4 is the IP address of the webserver.
top
MSNSpider
This plugin finds new URL's in MSN search engine.
One configurable parameters exist:
- resultLimit
This plugin searches MSN for : "@domain.com", requests all search results and parses them in order
to find new mail addresses.
top
serverHeader
This plugin gets the server header and saves the result to the knowledgeBase.
top
googleSafeBrowsing
This plugin searches the domain being tested in the google safe browsing database.
If your site is in this database the chances are that you were hacked and your server is now being
used in phishing attacks.
top
wsdlFinder
This plugin finds new web service descriptions and other web service related files
by appending "?WSDL" to all URL's and checking the response.9
top
pykto
This plugin is a nikto port to python.
It uses the scandatabase file from nikto to search for new and vulnerable URL's.
Seven configurable parameters exist:
- updateScandb
- cgiDirs
- adminDirs
- nukeDirs
- dbFile
- mutateTests
- genericScan
This plugin reads every line in the scandatabase and based on the configuration ( "cgiDirs", "adminDirs" ,
"nukeDirs" and "genericScan" ) it does requests to the remote server searching for common files that may
introduce vulnerabilities.
top
crossDomain
This plugin searches for the crossdomain.xml file used by flash, and parses it.
This file is used by Flash as an ACL that defines what domains can access the domain that
contains the file. By parsing this file, you can get more information about relationships between sites.
top
fingerPKS
This plugin finds mail addresses in PGP PKS servers.
top
findvhost
This plugin uses the HTTP Host header to find new virtual hosts. For example, if the intranet page is hosted
in the same server that the public page, and the web server is misconfigured, this plugin will discover that
virtual host.
Please note that this plugin doesn't use any DNS technique to find this virtual hosts.
top
hmap
This plugin fingerprints the remote web server and tries to determine the
server type, version and patch level.
One configurable parameters exist:
- genFpF
if genFpF is set to True, a fingerprint file is generated. Fingerprint files are used to identify unknown web servers, if you
generate new files please send them to w3af.project@gmail.com so we can add them to the framework.
top
phishtank
This plugin searches the domain being tested in the phishtank database.
If your site is in this database the chances are that you were hacked and your server is now being
used in phishing attacks.
Two configurable parameters exist:
- dbFile
- updateDB
top
fingerGoogle
This plugin finds mail addresses in google.
Two configurable parameters exist:
- key
- resultLimit
- fastSearch
If fastSearch is set to False, this plugin searches google for : "@domain.com", requests all search results and parses
them in order to find new mail addresses. If the fastSearch configuration parameter is set to True, only mail addresses
that appear on the google result page are parsed and added to the list, the result links are'nt visited.
top
detectWAF
Identify if a Web Application Firewall is present and if possible identify the vendor and version.
top
web20Spider
This plugin is a web spider on anabolics, it will search through the DOM tree of the loaded
HTML for tags that have an onClick, onChange or onMouseOver and it will call them. The javascript
will be executed just as if you would have *really* clicked on the link using your favorite browser.
The following is a list of all configurable parameters:
- localProxy
top
archiveDotOrg
This plugin does a search in archive.org and parses the results. It then uses the results to find new
URLs in the target site. This plugin is a time machine !
top
ghdb
This plugin finds possible vulnerabilities using google.
Three configurable parameters exist:
- resultLimit
- updateGHDB
- key
Using the google hack database released by jhonny, this plugin searches google for possible
vulnerabilities in the domain being tested.
top