The sys admin’s daily grind: w3af

Braving the Gap

Article from Issue 137/2012

After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

Penetration testing is really a task for specialists who are familiar with the tools of the trade, understand potential vulnerabilities and attack vectors, and test them on a case-by-case basis. The basic principle is not to fire a broadside at the target but carefully to identify the weak points and select an attack method to match. Suitable tools certainly are not lacking, and Metasploit and OpenVAS are totally over the top if you just want to check whether your new website contains any bugs that expose it to cross-site scripting or SQL injection. For performing a small check, I prefer to use the Web Application Attack and Audit Framework (w3af).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column

    From time to time, sys admin Charly has to leave the beaten track and concern himself with topics outside of his core competency range. When this happens, it's good to have the right tools on hand.

  • Charly's Column

    Charly often gets suggestions and ideas for his column at community get-togethers. Last week, he picked up a tip for an early warning system that quickly secures login attempts.

  • Charly's Column

    Conventional, woodpecker-style port knocking is open to sniffing and brute force knocking attacks. Sending an encrypted packet with an access request to the server is safer and more modern. Learn more about Firewall Knock Operator, a.k.a. Fwknop.

  • Charly's Column: Metasploitable

    If you mess around with a pen-testing tool on your own network, you might survive the consequences, but chances are you'll take the prize for outstanding recklessness. Charly has some advice: Use Metasploitable, perhaps the most broken Linux ever.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

comments powered by Disqus

Direct Download

Read full article as PDF:

069-069_charly.pdf (886.59 kB)


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia