W3af tutorial: How to use w3af for a Web application security scan

Editor's note: To see detailed portions of the video, click the "Go Full Screen" button at the bottom of the video window.

When it comes to Web application vulnerabilities, problems such as SQL injection (SQLi) and cross-site scripting (XSS) are seemingly omnipresent in modern Web apps. The Open Web Application Security Project's (OWASP) Top 10 list of Web app vulnerabilities has been around for many years, yet the issues on the list change little from version to version. Technologies such as HTML 5 bring their own security concerns, opening up new avenues of attack that must be closed. How can organizations battling off SQLi, XSS and other attacks go about securing their Web apps? The free and open source security framework w3af may help budget-strapped organizations find and fix these vexing security holes.

In this SearchSecurity screencast, Keith Barker, a Certified Information Systems Security Professional (CISSP) and trainer for CBT Nuggets LLC, provides a w3af tutorial, showing how w3af's many plug-ins can be used to conduct a thorough Web application security scan. First, Keith detailed some of the categories of plug-ins available through w3af, including discovery, audit and attack. The existing plug-ins can work together, so information can be passed from discovery over to audit, or new plug-ins can be created for specific needs.

Then, Keith showed how different plug-ins can be combined into profiles, which can be saved if an organization would like to run the same scans again. Prebuilt profiles, including one specifically for vulnerabilities noted in the OWASP Top 10, are also included in w3af for those organizations that want to hit the ground running. Once w3af runs a Web app security scan, IT teams can simply comb through the details provided on possible vulnerabilities and determine which need to be investigated further. For those organizations seeking to secure Web applications, w3af can serve as a powerful vulnerability scanner.

View All Videos

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Great article! For me, one of the most effective application security controls is input validation, which checks the user input to determine if the data is valid. Input validation should be used as a first (and not the only) line of defense and is particularly effective against various injection attacks. SQL Injection, Code Injection, Command Injection and Cross-Site Scripting can be effectively mitigated. Here is a great article on how to validate all the input to an application before using it - http://blog.securityinnovation.com/blog/2013/11/getting-defensive-with-coding-validating-input.html.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close