Offensive Thinking

Internet Thoughtcrime

w3af revisited

Posted: 2009-07-28

In this post, almost exactly two month ago, I wrote about my first experiences with w3af. I came to the conclusion that this whole automated scanning stuff is just not my cup of tea.

Well, I still stand by this point. But I have revisited w3af recently, mainly due to an interview with its creator, Andrés Riancho, on Pauldotcom (awesome podcast btw, check it out). Andrés mentioned several points which piqued my interest in w3af again. The first and most important thing for me was that he is perfectly aware of the fact that automatic vulnerability scanning can never substitute manual testing and that you really shouldn’t solely rely on his tool. The second thing was that they want to integrate the manual testing into the framework, so you can have the best from both worlds. This really got my attention, because having a tool which on the one hand allows me to easily automate repetitive tasks (no, I’m not gonna spider the website by hand, nor do I have the time to bruteforce subdirectories manually) but on the other hand still let’s me manually poke at the application is exactly what I want to have. w3af wants to be the Metasploit for web applications, and I wholeheartedly support this.

So I got the newest version from SVN and had a second look. First of all, after hearing the podcast, I also started the w3af GUI, and not only the console version. Normally, I don’t like GUIs very much. I hate clicking all those fancy buttons, as you may have guessed from my tools section. That’s why I didn’t use it earlier. In this case however, it was worth it because there’s already features available which are not in the console version. One major surprise was the MITM proxy they are building in the GUI. Finally, an Open Source MITM proxy that is in active development! It doesn’t have all the features the “established” MITM proxies (e.g. WebScarab) have, but it’s making progress and already looks very nice.

What’s also very new to the framework, but a great idea, is the export feature for HTTP requests you somehow got with the tool, either through the proxy or by creating a raw manual request. It exports the request to JavaScript (think AJAX) or Python code. How awesome is that. I can’t count the times I’ve written the same code over and over again for my different Pentests.

For me, w3af still needs to add some things before I will use it in pentests on a regular basis, but I now see potential I haven’t seen two month ago. I must admit, I may have spent too little time with it then, not learning enough about it. So following the Open Source spirit, I started to contribute to w3af, which I plan to do as long as there’s no version of it that I can use on a daily basis ;). My first code was a Ruby export plugin, so now you can export to JavaScript, Python and Ruby. Andrés already committed this to trunk, as it was just some minor changes to the already existing Python export. I also wrote a WebScarab conversations import, being inspired by Jon Rose who did this for Burp. He’s currently in the process of merging the code, additionally writing code for supporting the import of even more proxy logs.

So, all in all, I hope this project will continue to improve. I certainly will make my contributions where possible in the limited spare time I have.