Tuesday, November 2, 2010

W3af release v1.0-rc4

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more

The efforts for this release have been major, some of them haven been really
organized like our sprints that started one month ago [2][3] and some others
can be tracked through the SVN logs, like Taras' great improvements of the
GUI.

Just to name a few things we've done for this release:
* We've written new HOWTO documents for our users
* Considerably improved the speed of all grep plugins
* Replaced Beautiful Soup by the faster libxml2 library
* Introduced the usage of XPATH queries that will allow us to improve
performance and reduce false positives
* Fixed hundreds of bugs

On this release you'll also find that after exploiting a vulnerability you
can leverage that access using our Web Application Payloads, a feature that
we developed together with Lucas Apa from Bonsai Information Security. These
payloads allow you to escalate privileges and will help you get from a low
privileged vulnerability (e.g. local file read) to a remote code execution.
In order to try them, exploit a vulnerability, get any type of shell and
then run any of the following commands: help, lsp, payload tcp (the last one
will show you the open connections in the remote box).

Download: http://sourceforge.net

No comments: