145 matches found
spider_man
This plugin is a local proxy that can be used to give the framework knowledge about the web application when it has a lot of client side code like Flash or Java applets. Whenever a w3af needs to test an application with flash or javascript, the user should enable this plugin and use a web browser...
generic
This plugin finds all kind of bugs without using a fixed database of errors. This is a new kind of methodology that solves the main problem of most web application security scanners. Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- diffratio | float |...
file_upload
This plugin will try to expoit insecure file upload forms. One configurable parameter exists: extensions The extensions parameter is a comma separated list of extensions that this plugin will try to upload. Many web applications verify the extension of the file being uploaded, if special extensio...
zone_h
This plugin searches the zone-h.org defacement database and parses the result. The information stored in that database is useful to know about previous defacements to the target website. In some cases, the defacement site provides information about the exploited vulnerability, which may be still...
web_diff
This plugin tries to do a diff of two directories, a local and a remote one. The idea is to mimic the functionality implemented by the linux command "diff" when invoked with two directories. Four configurable parameter exist: localdir remoteurlpath bannedext content This plugin will read the file...
blind_sqli
This plugin finds blind SQL injections using two techniques: time delays and true/false response comparison. Only one configurable parameters exists: eqlimit Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- eqlimit | float | 0.9 | String equal ratio 0...
generic
This authentication plugin can login to web application with generic authentication schema. Seven configurable parameters exist: username password usernamefield passwordfield authurl checkurl checkstring Plugin type Auth Options Name | Type | Default Value | Description | Help ---|---|---|---|---...
wsdl_finder
This plugin finds new web service descriptions and other web service related files by appending "?WSDL" to all URLs and checking the response. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests,...
urllist_txt
This plugin searches for the urllist.txt file, and parses it. The urllist.txt file is/was used by Yahoos search engine. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source...
click_jacking
This plugin greps every page for X-Frame-Options header and so for possible ClickJacking attack against URL. Additional information: https://www.owasp.org/index.php/Clickjacking Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this...
strange_parameters
This plugin greps all responses and tries to identify URIs with strange parameters, some examples of strange parameters are: http://a/?b=methoda,c http://a/?c=x|y|z|d Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and th...
meta_tags
This plugin greps every page for interesting meta tags. Some interesting meta tags are the ones that contain : microsoft, visual, linux . Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres...
finger_pks
This plugin finds mail addresses in PGP PKS servers. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin...
php_eggs
This plugin tries to find the documented easter eggs that exist in PHP and identify the remote PHP version using the easter egg content. The easter eggs that this plugin verifies are: PHP Credits, Logo, Zend Logo, PHP Logo 2: http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000...
wordnet
This plugin finds new URLs using wn. An example is the best way to explain what this plugin does, lets suppose that the input for this plugin is: http://a/index.asp?color=blue The plugin will search the wordnet database for words that are related with "blue", and return for example: "black" and...
text_file
This plugin writes the framework messages to a text file. Four configurable parameters exist: outputfile httpoutputfile verbose Plugin type Output Options Name | Type | Default Value | Description | Help ---|---|---|---|--- verbose | boolean | True | Enable if verbose output is needed | No detail...
htaccess_methods
This plugin finds .htaccess misconfigurations in the LIMIT configuration parameter. This plugin is based on a paper written by Frame and madjoker from kernelpanik.org. The paper is called : "htaccess: bilbao method exposed" The idea of the technique and the plugin is to exploit common...
http_auth_detect
This plugin greps every page and finds responses that indicate that the resource requires authentication. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understa...
rnd_hex_encode
This evasion plugin adds random hex encoding. Example: Input: /bar/foo.asp Output : /b%61r/%66oo.asp Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand...
hmap
This plugin fingerprints the remote web server and tries to determine the server type, version and patch level. It uses fingerprinting, not just the Server header returned by remote server. This plugin is a wrapper for Dustin Lees hmap. One configurable parameters exist: genFpF If genFpF is set t...
ria_enumerator
This plugin searches for various Rich Internet Application files. It currently searches for: Google gears manifests These files are used to determine which files are locally cached by google gears. They do not get cleared when the browser cache is cleared and may contain sensitive information. Fl...
xss_protection_header
This plugin detects insecure usage of the "X-XSS-Protection" header as explained in the MSDN blog article "Controlling the XSS Filter". Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres alwa...
backspace_between_dots
This evasion plugin inserts an A and a backspace control character between dots which cancel each other when they are processed and some filters that match ../ are bypassed. Example: Input: ../../etc/passwd Output: .%41%08./.%41%08./etc/passwd Plugin type Evasion Options This plugin doesnt have a...
analyze_cookies
This plugin greps every response for session cookies that the web application sends to the client, and analyzes them in order to identify potential vulnerabilities, the remote web application framework and other interesting information. Plugin type Grep Options This plugin doesnt have any user...
halberd
This plugin tries to find if an HTTP Load balancer is present. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...
detect_reverse_proxy
This plugin tries to determine if the remote end has a reverse proxy installed. The procedure used to detect reverse proxies is to send a request to the remote server and analyze the response headers, if a Via header is found, chances are that the remote site has a reverse proxy. Plugin type...
mod_security
This evasion plugin performs a bypass for modsecurity version 2.1.0 or less here: http://www.php-security.org/MOPB/BONUS-12-2007.html Important: The evasion only works for postdata. Example: Post-data Input: a=b Post-data Output : \x00a=b Plugin type Evasion Options This plugin doesnt have any us...
find_backdoors
This plugin searches for web shells in the directories that are sent as input. For example, if the input is: http://host.tld/w3af/f00b4r.php The plugin will perform these requests: http://host.tld/w3af/c99.php http://host.tld/w3af/cmd.php http://host.tld/w3af/webshell.php … Plugin type Crawl...
server_status
This plugin fetches the server-status file used by Apache, and parses it. After parsing, new URLs are found, and in some cases, the plugin can deduce the existance of other domains hosted on the same server. Plugin type Infrastructure Options This plugin doesnt have any user configured options...
mx_injection
This plugin will find MX injections. This kind of web application errors are mostly seen in webmail software. The tests are simple, for every injectable parameter a string with special meaning in the mail server is sent, and if in the response I find a mail server error, a vulnerability was found...
motw
This plugin will specify whether the page is compliant against the MOTW standard. The standard is explained in: http://msdn2.microsoft.com/en-us/library/ms537628.aspx This plugin tests if the length of the URL specified by "XYZW" is lower, equal or greater than the length of the URL; and also...
shift_out_in_between_dots
This evasion plugin insert between dots shift-in and shift-out control characters which are cancelled each other when they are below so some ".." filters are bypassed Example: Input: ../../etc/passwd Output: .%0E%0F./.%0E%0F./etc/passwd Plugin type Evasion Options This plugin doesnt have any user...
dns_wildcard
This plugin compares the contents of www.site.com and site.com and tries to verify if the target site has a DNS wildcard configuration or not. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated...
redos
This plugin finds ReDoS regular expression DoS vulnerabilities as explained here: http://en.wikipedia.org/wiki/ReDoS Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code...
objects
This plugin greps every page for applets and other types of objects. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plug...
rnd_param
This evasion plugin adds a random parameter. Example: Input: /bar/foo.asp Output : /bar/foo.asp?alsfkj=f09 Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to...
hash_analysis
This plugin identifies hashes in HTTP responses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin source code...
form_autocomplete
This plugin greps every page for autocomplete-able forms containing password-type inputs. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats...
http_vs_https_dist
This plugin analyzes the network distance between the HTTP and HTTPS ports giving a detailed report of the traversed hosts in transit to target:port. You should have root/admin privileges in order to run this plugin succesfully. Explicitly declared ports on the entered target override those...
fingerprint_os
This plugin fingerprints the remote web server and tries to determine the Operating System family Windows, Unix, etc.. The fingerprinting is at this moment really trivial, because it only uses one technique: windows path separator in the URL. For example, if the input URL is...
archive_dot_org
This plugin does a search in archive.org and parses the results. It then uses the results to find new URLs in the target site. This plugin is a time machine ! Plugin type Crawl Options Name | Type | Default Value | Description | Help ---|---|---|---|--- maxdepth | integer | 3 | Maximum recursion...
http_in_body
This plugin searches for HTTP responses that contain other HTTP request/responses in their response body. This situation is mostly seen when programmers enable some kind of debugging for the web application, and print the original request in the response HTML as a comment. Plugin type Grep Option...
self_reference
This evasion plugin adds a directory self reference. Example: Input: /bar/foo.asp Output : /bar/./foo.asp Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to...
finger_bing
This plugin finds mail addresses in Bing search engine. One configurable parameter exist: resultlimit This plugin searches Bing for : "@domain.com", requests all search results and parses them in order to find new mail addresses. Plugin type Infrastructure Options Name | Type | Default Value |...
find_captchas
This plugin finds any CAPTCHA images that appear on a HTML document. The crawl is performed by requesting the document two times, and comparing the image hashes, if they differ, then they may be a CAPTCHA. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For...
cache_control
This plugin analyzes every HTTPS response and reports instances of incorrect cache control which might lead the users browser to cache sensitive contents on their system. The expected headers for HTTPS responses are: Pragma: No-cache Cache-control: No-store Plugin type Grep Options This plugin...
directory_indexing
This plugin greps every response directory indexing problems. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin sour...
symfony
This plugin greps every page for traces of the Symfony framework and the lack of CSRF protection. Plugin type Grep Options Name | Type | Default Value | Description | Help ---|---|---|---|--- override | boolean | False | Skip symfony detection and search for the csrf misprotection. | No detailed...
shared_hosting
This plugin tries to find out if the web application under test is stored in a shared hosting. The procedure is pretty simple, using bing search engine, the plugin searches for "ip:1.2.3.4" where 1.2.3.4 is the IP address of the webserver. One configurable option exists: resultlimit Fetch the fir...
private_ip
This plugin greps every page body and headers for private IP addresses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...