Title: W3AF Non Intrusive Profile?
Post by: sgtsteamy on September 18, 2011, 12:10:33 AM
I am performing a vulnerability assessment and not a pentest on one of my affiliates websites. I was wondering if there are any great resources on putting together a profile in w3af that won't automatically start exploiting vulnerabilities it finds.
I just want to find these vulnerabilities... Not actually exploit them.
I've searched around on google and on the w3af website but can't find too much about it...
Title: Re: W3AF Non Intrusive Profile?
Post by: MaXe on September 18, 2011, 11:51:50 AM
If you fully understand web application security, you should be able to put together a non intrusive profile within W3AF even with no prior experience within this program. If you want to be sure it is non intrusive, set up a vulnerable website locally, create a profile in W3AF, and then run it while analyzing the traffic with e.g., Wireshark. (Just filter all traffic except connections made on port 80 locally.)
I haven't seen a guide though, but I have tried W3AF on several occasions, mostly for fun though as it is not in my mostly used toolkit. It seems that W3AF is hardly intrusive even with all settings turned on, which in return often takes very long to complete.
Web Applications are also, a lot harder to break as in they don't work anymore, as you would have to create some kind of DoS condition with e.g., a very malicious SQL Injection call which W3AF does not perform, or some strange calls to make the website go in a loop which is often just temporary and will not last forever. (Programs on the other hand, in case of a buffer overflow, will crash and my become permanently unresponsive until the service / program is restarted.)
If you want to be completely non intrusive and yet still be able to find many, perhaps almost all the bugs the best place to begin would be to ask if they have any development servers where they have a current copy of their website (as in a true copy), or for that sake if you can have a copy of their website to test locally on your own systems so they are guaranteed their webserver will have zero down time.
Naturally this only tests the web application, and not the server which is often and also included in a web app pentest. I don't think that W3AF incorporates any exploits for e.g., Apache though.
That's pretty much the best advice I can provide in this case :)