The sys admin’s daily grind: w3af

Braving the Gap

Article from Issue 137/2012
Author(s):

After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

Penetration testing is really a task for specialists who are familiar with the tools of the trade, understand potential vulnerabilities and attack vectors, and test them on a case-by-case basis. The basic principle is not to fire a broadside at the target but carefully to identify the weak points and select an attack method to match. Suitable tools certainly are not lacking, and Metasploit and OpenVAS are totally over the top if you just want to check whether your new website contains any bugs that expose it to cross-site scripting or SQL injection. For performing a small check, I prefer to use the Web Application Attack and Audit Framework (w3af).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: Glastopf

    Good traps catch mice, and honeypots catch malicious scripts. Sys admin Charly resorts to a honeypot in this issue, which, although difficult to install, is easy to manage.

    more »
  • Charly's Column

    Charly often gets suggestions and ideas for his column at community get-togethers. Last week, he picked up a tip for an early warning system that quickly secures login attempts.

    more »
  • Charly's Column

    Conventional, woodpecker-style port knocking is open to sniffing and brute force knocking attacks. Sending an encrypted packet with an access request to the server is safer and more modern. Learn more about Firewall Knock Operator, a.k.a. Fwknop.

    more »
  • The sys admin's daily grind: ntpviz

    The Network Time Protocol allows admins to keep time on their computers. Due to the way the system works, this timekeeping is only moderately successful. Charly uses the ntpviz statistics tool to visualize time fluctuation.

    more »
  • Charly's Column – TLS Interposer

    Many of the recent Linux exploits are the result of vulnerabilities in SSL libraries. TLS Interposer can help calm the waves.

    more »
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News

Tag Cloud

Administration Community Events Hardware Linux Linux Pro Magazine Mobile Programming Security Software Ubuntu Web Development Windows free software open source