W3AF is great Open Source tool for detecting not only SQL Injection vulnerabilities but also things like cross side scripting , PHP misconfiguration and more. In our lab we will be running w3af on KALI Linux. We will look into basic install and usage.

Installation

apt-get update
apt-get install -y w3af
cd ~
apt-get update
apt-get install -y python-pip w3af
pip install --upgrade pip
git clone https://github.com/andresriancho/w3af.git
cd w3af
./w3af_console
. /tmp/w3af_dependency_install.sh


Basic usage

The application has 3 main plugins

  • Crawl
  • Audit
  • Attack

More information can be found on W3AF website
To run it

# w3af_console
Usage of w3af for sending any traffic to a target without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Do you accept the terms and conditions? [N|y] y
w3af>>> 

View the help mode which is fairly intuitive

w3af>>> help
|---------------------------------------------------------------------------------------------------------|
| start         | Start the scan.                                                                         |
| plugins       | Enable and configure plugins.                                                           |
| exploit       | Exploit the vulnerability.                                                              |
| profiles      | List and use scan profiles.                                                             |
| cleanup       | Cleanup before starting a new scan.                                                     |
|---------------------------------------------------------------------------------------------------------|
| help          | Display help. Issuing: help [command] , prints more specific help about "command"       |
| version       | Show w3af version information.                                                          |
| keys          | Display key shortcuts.                                                                  |
|---------------------------------------------------------------------------------------------------------|
| http-settings | Configure the HTTP settings of the framework.                                           |
| misc-settings | Configure w3af misc settings.                                                           |
| target        | Configure the target URL.                                                               |
|---------------------------------------------------------------------------------------------------------|
| back          | Go to the previous menu.                                                                |
| exit          | Exit w3af.                                                                              |
|---------------------------------------------------------------------------------------------------------|
| kb            | Browse the vulnerabilities stored in the Knowledge Base                                 |
|---------------------------------------------------------------------------------------------------------|

First we will set timeout

w3af>>> http-settings
w3af/config:http-settings>>> help
|---------------------------------------------------------------------------------------------------------|
| view     | List the available options and their values.                                                 |
| set      | Set a parameter value.                                                                       |
| save     | Save the configured settings.                                                                |
|---------------------------------------------------------------------------------------------------------|
| back     | Go to the previous menu.                                                                     |
| exit     | Exit w3af.                                                                                   |
|---------------------------------------------------------------------------------------------------------|
w3af/config:http-settings>>> view
|--------------------------------------------------------------------------------------------------------|
| Setting                 | Value    | Modified | Description                                            |
|--------------------------------------------------------------------------------------------------------|
| url_parameter           |          |          | URL parameter (http://host.tld/path;


) | | timeout | 0 | | HTTP connection timeout | | headers_file | | | HTTP headers filename which contains additional | | | | | headers to be added in each request | |--------------------------------------------------------------------------------------------------------| | cookie_jar_file | | | Cookie Jar file holding HTTP cookies | | ignore_session_cookies | False | | Ignore session cookies | |--------------------------------------------------------------------------------------------------------| | ntlm_auth_url | | | NTLM authentication domain (target domain name) | | ntlm_auth_user | | | NTLM authentication username | | ntlm_auth_passwd | | | NTLM authentication password | | ntlm_auth_domain | | | NTLM authentication domain (windows domain name) | |--------------------------------------------------------------------------------------------------------| | rand_user_agent | False | | Use random User-Agent header | | max_file_size | 400000 | | Maximum file size | | max_http_retries | 2 | | Maximum number of HTTP request retries | | user_agent | w3af.org | | User Agent header | | max_requests_per_second | 0 | | Maximum HTTP requests per second | |--------------------------------------------------------------------------------------------------------| | string_match_404 | | | Tag HTTP response as 404 if the string is found in | | | | | it's body | | always_404 | | | Comma separated list of URLs which will always be | | | | | detected as 404 pages | | never_404 | | | Comma separated list of URLs which will never be | | | | | detected as 404 pages | |--------------------------------------------------------------------------------------------------------| | proxy_port | 8080 | | Proxy TCP port | | proxy_address | | | Proxy IP address | |--------------------------------------------------------------------------------------------------------| | basic_auth_user | | | Basic authentication username | | basic_auth_passwd | | | Basic authentication password | | basic_auth_domain | | | Basic authentication domain | |--------------------------------------------------------------------------------------------------------| w3af/config:http-settings>>> set timeout 10 w3af/config:http-settings>>> save The configuration has been saved. w3af/config:http-settings>>> back The configuration has been saved. w3af>>>

Lets do list audit command

w3af>>> plugins
w3af/plugins>>> list audit
|-------------------------------------------------------------------------------------------------------|
| Plugin name         | Status | Conf | Description                                                     |
|-------------------------------------------------------------------------------------------------------|
| blind_sqli          |        | Yes  | Identify blind SQL injection vulnerabilities.                   |
| buffer_overflow     |        |      | Find buffer overflow vulnerabilities.                           |
| cors_origin         |        | Yes  | Inspect if application checks that the value of the "Origin"    |
|                     |        |      | HTTP header isconsistent with the value of the remote IP        |
|                     |        |      | address/Host of the sender ofthe incoming HTTP request.         |
| csrf                |        |      | Identify Cross-Site Request Forgery vulnerabilities.            |
| dav                 |        |      | Verify if the WebDAV module is properly configured.             |
| eval                |        | Yes  | Find insecure eval() usage.                                     |
| file_upload         |        | Yes  | Uploads a file and then searches for the file inside all known  |
|                     |        |      | directories.                                                    |
| format_string       |        |      | Find format string vulnerabilities.                             |
| frontpage           |        |      | Tries to upload a file using frontpage extensions (author.dll). |
| generic             |        | Yes  | Find all kind of bugs without using a fixed database of errors. |
| global_redirect     |        |      | Find scripts that redirect the browser to any site.             |
| htaccess_methods    |        |      | Find misconfigurations in Apache's "" configuration.     |
| ldapi               |        |      | Find LDAP injection bugs.                                       |
| lfi                 |        |      | Find local file inclusion vulnerabilities.                      |
| memcachei           |        |      | No description available for this plugin.                       |
| mx_injection        |        |      | Find MX injection vulnerabilities.                              |
| os_commanding       |        |      | Find OS Commanding vulnerabilities.                             |
| phishing_vector     |        |      | Find phishing vectors.                                          |
| preg_replace        |        |      | Find unsafe usage of PHPs preg_replace.                         |
| redos               |        |      | Find ReDoS vulnerabilities.                                     |
| response_splitting  |        |      | Find response splitting vulnerabilities.                        |
| rfd                 |        |      | Identify reflected file download vulnerabilities.               |
| rfi                 |        | Yes  | Find remote file inclusion vulnerabilities.                     |
| shell_shock         |        |      | Find shell shock vulnerabilities.                               |
| sqli                |        |      | Find SQL injection bugs.                                        |
| ssi                 |        |      | Find server side inclusion vulnerabilities.                     |
| ssl_certificate     |        | Yes  | Check the SSL certificate validity (if https is being used).    |
| un_ssl              |        |      | Find out if secure content can also be fetched using http.      |
| websocket_hijacking |        |      | Detect Cross-Site WebSocket hijacking vulnerabilities.          |
| xpath               |        |      | Find XPATH injection vulnerabilities.                           |
| xss                 |        | Yes  | Identify cross site scripting vulnerabilities.                  |
| xst                 |        |      | Find Cross Site Tracing vulnerabilities.                        |
|-------------------------------------------------------------------------------------------------------|
w3af/plugins>>> 

Lets enable plugins for SQL injection scan

w3af/plugins>>> audit sqli, blind_sqli
w3af/plugins>>> list audit            
|-------------------------------------------------------------------------------------------------------|
| Plugin name         | Status  | Conf | Description                                                    |
|-------------------------------------------------------------------------------------------------------|
| blind_sqli          | Enabled | Yes  | Identify blind SQL injection vulnerabilities.                  |
| buffer_overflow     |         |      | Find buffer overflow vulnerabilities.                          |
| cors_origin         |         | Yes  | Inspect if application checks that the value of the "Origin"   |
|                     |         |      | HTTP header isconsistent with the value of the remote IP       |
|                     |         |      | address/Host of the sender ofthe incoming HTTP request.        |
| csrf                |         |      | Identify Cross-Site Request Forgery vulnerabilities.           |
| dav                 |         |      | Verify if the WebDAV module is properly configured.            |
| eval                |         | Yes  | Find insecure eval() usage.                                    |
| file_upload         |         | Yes  | Uploads a file and then searches for the file inside all known |
|                     |         |      | directories.                                                   |
| format_string       |         |      | Find format string vulnerabilities.                            |
| frontpage           |         |      | Tries to upload a file using frontpage extensions              |
|                     |         |      | (author.dll).                                                  |
| generic             |         | Yes  | Find all kind of bugs without using a fixed database of        |
|                     |         |      | errors.                                                        |
| global_redirect     |         |      | Find scripts that redirect the browser to any site.            |
| htaccess_methods    |         |      | Find misconfigurations in Apache's "" configuration.    |
| ldapi               |         |      | Find LDAP injection bugs.                                      |
| lfi                 |         |      | Find local file inclusion vulnerabilities.                     |
| memcachei           |         |      | No description available for this plugin.                      |
| mx_injection        |         |      | Find MX injection vulnerabilities.                             |
| os_commanding       |         |      | Find OS Commanding vulnerabilities.                            |
| phishing_vector     |         |      | Find phishing vectors.                                         |
| preg_replace        |         |      | Find unsafe usage of PHPs preg_replace.                        |
| redos               |         |      | Find ReDoS vulnerabilities.                                    |
| response_splitting  |         |      | Find response splitting vulnerabilities.                       |
| rfd                 |         |      | Identify reflected file download vulnerabilities.              |
| rfi                 |         | Yes  | Find remote file inclusion vulnerabilities.                    |
| shell_shock         |         |      | Find shell shock vulnerabilities.                              |
| sqli                | Enabled |      | Find SQL injection bugs.                                       |
| ssi                 |         |      | Find server side inclusion vulnerabilities.                    |
| ssl_certificate     |         | Yes  | Check the SSL certificate validity (if https is being used).   |
| un_ssl              |         |      | Find out if secure content can also be fetched using http.     |
| websocket_hijacking |         |      | Detect Cross-Site WebSocket hijacking vulnerabilities.         |
| xpath               |         |      | Find XPATH injection vulnerabilities.                          |
| xss                 |         | Yes  | Identify cross site scripting vulnerabilities.                 |
| xst                 |         |      | Find Cross Site Tracing vulnerabilities.                       |
|-------------------------------------------------------------------------------------------------------|
w3af/plugins>>> 

Lets save profile

w3af>>> profiles
w3af/profiles>>> help
|---------------------------------------------------------------------------------------------------------|
| use           | Use a profile.                                                                          |
| list          | List available profiles.                                                                |
| save_as       | Save the current configuration to a profile.                                            |
|---------------------------------------------------------------------------------------------------------|
| back          | Go to the previous menu.                                                                |
| exit          | Exit w3af.                                                                              |
|---------------------------------------------------------------------------------------------------------|
w3af/profiles>>> save_as lab
Profile saved.
w3af/profiles>>> 

Now lets start our scan

w3af>>> target
w3af/config:target>>> set target http://mysite.com
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start