A feature request appeared on our IRC, private conversations and mailing lists once every year or so: “I want to be able to detect if my site is spreading malware”. Last week it appeared again and this time it was implemented, so for your enjoyment I give you w3af – ClamAV integration.
The basic idea is simple, w3af crawls the target site and sends all HTTP response bodies to ClamAV (using the clam daemon) for analysis. If ClamAV finds something in that stream we’ll parse it and show it to you in the report.
Testing
Before this gets to the master branch I would like you to test it and report any bugs or improvements. Follow these steps to help us improve:
git clone [email protected]:andresriancho/w3af.git
cd w3af
git checkout feature/clam
git pull
./w3af_console # Install the new clamd dependency using pip
# Install clamd in your system (this is for ubuntu):
sudo apt-get install clamav-daemon clamav-freshclam clamav-unofficial-sigs
sudo freshclam
sudo service clamav-daemon start
Then, run a scan against your site using the new grep.clamav plugin. Remember that for the grep plugin to analyze your site, you need to activate a crawl plugin like web_spider.
If you want to test with something “real”, remember you can use the EICAR test binary. Happy testing!
Implementation
The implementation of this new plugin was fairly simple due to the excellent clamd python module and the pre-existing features available in the w3af framework.
ShareMAY
About the Author:
Web Application Security Innovator, Researcher and Entrepreneur. Python Hacker.