[WEB SECURITY] [TOOL] w3af 1.0-stable released!

Andres Riancho andres.riancho at gmail.com
Wed May 25 09:46:43 EDT 2011


    Since our latest w3af release in mid January, and our new windows
installer release a couple of months ago, we've got lots of
encouraging words telling us we are going in the right direction. The
objective was near and we could almost taste it. Having a stable
code-base is no joke, it requires countless hours of writing
unit-tests, running w3af scripts and most importantly: fixing bugs.
Now, finally we're here!

    In this latest release, we bring you a couple of the most
important improvements of our framework:

        * Stable code base, an improvement that will reduce your w3af
crashes to a minimum. We've been working on fixing all of our
long-standing bugs, wrote thousands of lines of doctests and various
types of automation to make sure we can also keep improving without
breaking other sections of the code.

        * Auto-Update, which will allow you to keep your w3af
installation updated without any effort. Always get the latest and
greatest from our contributors!

        * Web Application Payloads, for people that enjoy exploitation
techniques, this is one of the most interesting things you'll see in
web application security! We created various layers of abstraction
around an exploited vulnerability in order to be able to write
payloads that use emulated syscalls to read, write and execute files
on the compromised web server. Keep an eye on the rapid7 community
blog an entry completely dedicated to this subject!

        * PHP static code analyzer, as part of a couple of experiments
and research projects, Javier Andalia created a PHP static code
analyzer that performs tainted mode analysis of PHP code in order to
identify SQL injections, OS Commanding and Remote File Includes. At
this time you can use this very interesting feature as a web
application payload. After exploiting a vulnerability try: "payload
php_sca", that will download the remote PHP code to your box and
analyze it to find more vulnerabilities!

And many others, such as:

        * Refactoring of HTTP cache and GTK user interface code to
store HTTP requests only once on disk (5% performance improvement)
        * Performance improvement in sqlite database by using indexes
(1% performance improvement)
        * Huge w3af code-base refactoring on how URLs are handled.
Moved away from handling URLs as strings into a url_object model. This
reduces the number of times a URL is parsed into its component pieces
(protocol, domain, path, query string, etc.) and put back together
into a string, which clarifies the code and makes it run faster.

We have a stable release, w0000t! Hmmmm.... have we finished? Should
we go home? No! We still have work to do; there are still features and
capabilities we'd like to add. For example,as you read this, we're
working on integrating the multiprocessing module into w3af's code,
with the objective of using more than one CPU core at the same time
and substantially improve our scanning speed. We're also working on
handling of encodings by the use of unicode strings across the whole
framework, and making the user experience more intuitive in the UI.

As usual, you can get our latest installable packages from the
w3af.com [0] website! Just download and enjoy our latest improvements!

[0] http://w3af.sourceforge.net/#download

Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

More information about the websecurity mailing list