Automated Audit usin

发布时间:2019-06-25 10:58:18编辑:auto阅读(1882)

     

    
This type of article aims to provide to development team a easy/quick way to
 perform automated audit tests against their web application projects over implementation phase.

    Contents

    Description

    This page have to objective to show a W3AF sample script to automate audit of a web application.

    W3AF is a free and open source Web Application Attack and Audit Framework (W3AF homepage).

    This script do not replace a manual audit but can be useful to perform a first validation.

    Script content

    
# -----------------------------------------------------------------------------------------------------------
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------
http-settings
set timeout 60
back
plugins
# Step 1 : Configure DISCOVERY plugins
discovery serverHeader, dotNetErrors, webSpider
discovery config serverHeader
set execOneTime True
back
discovery config webSpider
set onlyForward False
set followRegex .*
back
# Step 2 : Configure AUDIT plugins
audit LDAPi,eval,frontpage,generic,globalRedirect,phishingVector,responseSplitting,sqli,xpath,xsrf,xss,xst
audit config xss
set numberOfChecks 15
back
# Step 3 : Configure GREP plugins
grep error500, domXss, metaTags, dotNetEventValidation, findComments, pathDisclosure, collectCookies, errorPages, httpAuthDetect
grep config domXss
set simpleGrep False
set smartGrep True
back
grep config metaTags
set search404 False
back
grep config findComments
set search404 False
back
# Step 4 : Configure OUTPUT plugins
output htmlFile
output config htmlFile
set fileName /tmp/W3afReport.html
set verbose False
back
back
# Step 5 : Define target URL
target
set target PUT_YOUR_SITE_URL_HERE
back
# Step 6 : Start audit
start
exit

    Script run

    
./w3af_console ­-s MyScript.w3af

    After the script runs, the audit report is available in the location defined in clause "set fileName" ("/tmp/W3afReport.html" in the script example).

    Script edition

    Highlighter content

    You can find below a highlighter for Notepad++ in order to help to edit W3AF script (copy/paste content into a file and import it into Notepad++).

    
<NotepadPlus>
    <UserLang name="W3AF" ext="w3af">
        <Settings>
            <Global caseIgnored="yes" />
            <TreatAsSymbol comment="no" commentLine="no" />
            <Prefix words1="no" words2="no" words3="no" words4="no" />
        </Settings>
        <KeywordLists>
            <Keywords name="Delimiters">000000</Keywords>
            <Keywords name="Folder+"></Keywords>
            <Keywords name="Folder-"></Keywords>
            <Keywords name="Operators"></Keywords>
            <Keywords name="Comment"> 1 2 0#</Keywords>
            <Keywords name="Words1">start plugins exploit profiles http­settings misc­settings 
target back assert help version keys view set</Keywords>
            <Keywords name="Words2">mangle evasion discovery grep bruteforce audit output</Keywords>
            <Keywords name="Words3"></Keywords>
            <Keywords name="Words4"></Keywords>
        </KeywordLists>
        <Styles>
            <WordsStyle name="DEFAULT" styleID="11" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="FOLDEROPEN" styleID="12" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="FOLDERCLOSE" styleID="13" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="KEYWORD1" styleID="5" fgColor="000080" bgColor="FFFFFF" fontStyle="3" />
            <WordsStyle name="KEYWORD2" styleID="6" fgColor="800040" bgColor="FFFFFF" fontStyle="3" />
            <WordsStyle name="KEYWORD3" styleID="7" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="KEYWORD4" styleID="8" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="COMMENT" styleID="1" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="COMMENT LINE" styleID="2" fgColor="008040" bgColor="FFFFFF" fontStyle="1" />
            <WordsStyle name="NUMBER" styleID="4" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="OPERATOR" styleID="10" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="DELIMINER1" styleID="14" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="DELIMINER2" styleID="15" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
            <WordsStyle name="DELIMINER3" styleID="16" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
        </Styles>
    </UserLang>
</NotepadPlus>

    Highlighter import

    Step 1 : Import file into User-Defined Dialogue

    ImportCustomHighlighterIntoNPP.png


    Step 2 : Select W3AF language for a script

    NewHighlighterSelection.png

     

关键字

上一篇: Day 3 - 编写ORM 修改1

下一篇: H3C RADIUS概述