Required reading: Understanding the basics

Finding SQL injections and Cross-Site Scriptings is one of the most common tasks performed by w3af users, so lets explain how to do it. First you’ll have to start w3af’s GUI, from the command line run “w3af_gui” and you should see the main window:

The first step is to set the target URL to the web application you want to scan, this example we’ll use “http://target.tld/”
Next, you need to configure w3af to use a set of crawl plugins in order to identify the links and forms where the vulnerabilities might be located. In order to keep this example simple, we’ll just enable the web_spider plugin. To achieve this click on “crawl” on the Plugin tree, scroll down and enable web_spider:

w3af can now identify all inputs, but it won’t identify Cross-Site Scriptings and SQL injections unless we instruct it to by enabling the corresponding audit plugins.¬†In this case the plugins are xss and sqli. Also in the plugin tree, open the audit plugin branch and enable the plugins.

Before starting the scan you can save the current settings to a profile¬†which will help you repeat this scan in a next run, or customize it with advanced settings. On the profile list right-click over empty_profile, which should be in bold letters indicating that changes have been made to it, and select “Save configuration to a new profile”. Complete the required information and you should see a new profile in the list.

Now we’re ready to start the scan! In the main menu find the play icon and click it, it will start the scan with the current configuration.

After starting the scan w3af will change it’s tab to the “Log” where you’ll be able to see what’s going on in the framework. At any point you can switch to the “Results” tab and browse through the Knowledge Base tree. When you click on a vulnerability you’ll be able to see the following information:

  • Vulnerability description
  • HTTP request and response associated with the vulnerability
  • Highlighted section in the HTTP response that was used to identify the vulnerability

Congratulations! You’ve completed your first w3af scan and identified important vulnerabilities in your web application.