W3af S. Qi,X. Ma,Y. Zhang,B Zhao,Y Zhu EC521 Fall 2014

S. Qi,X. Ma,Y. Zhang,B Zhao,Y Zhu

EC521 Fall 2014

w3af 09/24/14

Outline

Install w3af Target web application Some attempts: SQLI, XSS Source Code demystified Future plan

w3af 09/24/14

Install w3af

Source: http://w3af.org/download

w3af 09/24/14

Install w3af

w3af 09/24/14

Install w3af

Because we are Unix users, we don't need to install Python

Input the code: sudo easy_install pip

w3af 09/24/14

Install w3af Input code: /var/folders/jt/4f04_j4x669fh26qd614v8cc0000gn/T/w3af_dependency_install.sh

w3af 09/24/14

Install w3af - Problems

We can’t use the code: ./w3af_gui PyGTK and GTK

w3af 09/24/14

Install Web AppTHE APP WE NEED TO SETUP:MAMP:Mac Apache-MySQL-PHP

w3af 09/24/14

Install Web App Download and setup

Download our testing web server JobTracker save it in a new fold named ‘project’

Create the JobTracker Database

Then we can check the infos in JobTracker Database

w3af 09/24/14

Install Web App

Just change the Document Root and click start server then we can connect to our local web server.

w3af 09/24/14

Install Web App

It is the web application we will use to test w3af

It is written in php

It is barely protected while it was written

w3af 09/24/14

Attempts: SQLI Examine main components: plugins, profile, http-settings

w3af 09/24/14

Attempts: SQLI Built-in profiles; create new profile

w3af 09/24/14

Attempts: SQLI Built-in plugins; create new or new pattern to existing one

w3af 09/24/14

Attempts: SQLI

w3af 09/24/14

Attempts: SQLI

w3af 09/24/14

Code Study

Structure

w3af 09/24/14

Code Study

Controllers Thread pool, plug-in manager,

Data Parsers, DB connector, Http request handler

UI GUI

w3af 09/24/14

Code Study

Handle different kind of attacks(attack/audit/evasion/grep)

Login (brute force, auth)

Crawl the websites(crawl)

Handle the output, test(output/test)

w3af 09/24/14

Code StudyTest(1) Test the plug-ins

Test the Specific Websites with Specific Method

w3af 09/24/14

Code StudyTest(2) Example

w3af 09/24/14

Code StudyExtensibility

1 Write Plug-ins

2 Put Plug-ins in core

3 Test Plug-ins

4 Test in the websites

w3af 09/24/14

Conclusion

What we have achieved:

Setup and Run

Choose experiment web apps( JobTracker, WAMP)

Collect results

Understanding of architecture and core source

w3af 09/24/14

Future Plan

What we will do:

Cross-Site Scripting(XSS) or Cross-Site Request Forgery(CSRF)

Paper study

Deep understanding of architecture and core source

Comparison(with OpenVAS)

Make the Tutorial!

Photonics Presentation 09/24/14

W3af S. Qi,X. Ma,Y. Zhang,B Zhao,Y Zhu EC521 Fall 2014

Documents

Zhu, R.-Z., Lai, S.-C., Qin, J.-F., Zhao, S.-W., and Santosh, M., 2019, … · 2019-05-03 · Zhu, R.-Z., Lai, S.-C., Qin, J.-F., Zhao, S.-W., and Santosh, M., 2019, Petrogenesis

New Measurements of Bremsstrahlung Radiation from SECRAL · Zhao Huanyu, Zhang Wenhui, Cao yun, Zhao Hongwei, Lu Wang, Zhang Xuezhen, Zhu Yuhua, Li Xixia, and Xie Dan Zuqi Institute

w3af User Guide - noblogs.org · Introduction This document is a user guide for the Web Application Attack and Audit Framework ( w3af ), its goal is to provide a basic overview of

Cyber Security Tool - W3af

Jinying Zhao, MD, PhD Vitae.pdf4. Yun Zhu, PhD (2019 –2020 ) Research Assistant Scientist, Department of Epidemiology, UF PHHP & COM . MS, MPH Students (Academic Advisor, partial

Driver2Vec: Discovering Driver Signatures in Automotive ...web.stanford.edu/class/cs341/project/Zhao-Zhu-Yang_report.pdf · Haar wavelet, TCN, triplet loss and LightGBM. This sec-tion

Status of CEPC Detector magnet Zhao Ling, Zhu Zian, Wang Meifen, Hou Zhilong, Zhang Guoqing, Ning Feipeng, Yang Huan, Liu Zhongxiu, Zhao Wei, Yao Weichao

MEDIATED FRUIT THINNING IN APPLE ( Borkh Hong Zhu … › bitstream › handle › ...Bingyu Zhao December 6, 2010 Winchester, Virginia Keywords: Apple, Abscission, Hormone, Sugar,

Current reality in XIGUAN Region By Shi Zhao Hui & Zhu Jin Fang

Web Application Security: SQL Injection, Cross Site ... fileRico van Endern: w3af w3af - Demo 2/ 21 Inhaltsverzeichnis 1 Einleitung 2 w3af - De nition 3 SQL-Injektion De nition Angri

Gang Wang, Christo Wilson, Xiaohan Zhao, Yibo Zhu, Manish Mohanlal, Haitao Zheng and Ben Y. Zhao Computer Science Department, UC Santa Barbara Serf and

Modality-Dependent Cross-Media Retrieval · 57 Modality-Dependent Cross-Media Retrieval YUNCHAO WEI, YAO ZHAO, ZHENFENG ZHU, SHIKUI WEI, and YANHUI XIAO, Beijing Jiaotong University

Demystifying 60GHz Outdoor Picocells · Demystifying 60GHz Outdoor Picocells Yibo Zhu, Zengbin Zhang, Zhinus Marzi, Chris Nelson, Upamanyu Madhow, Ben Y. Zhao and Haitao Zheng University

Group 56 Zhimeng, Han 019958 Hui, Liu 020533 Rui, Zhao 025142 Jinyi, Zhou 024561 Siying Zhu 018275 References Apple, 2012. [Online]. Available at: [Accessed

REVIEW Open Access ......crowdsourcing, and crowdsourcing via a broker. Zhao and Zhu (2014) contributed a review study on crowdsourcing within Informa- tion Systems discipline and

Spatial and Temporal Dimensions of Urban Expansion in ChinaSpatial and Temporal Dimensions of Urban Expansion in China Shuqing Zhao,*,† Decheng Zhou,† Chao Zhu,† Yan Sun,†

w3af Users Guide

A Provable Generalized Tensor Spectral Method for Uniform ... · Consistency of spectral clustering [Rohe, Chatterjee & Yu ' 11] Consistency of max modularity [Zhao, Levina & Zhu

w3af User Guide - the-eye.euthe-eye.eu/public/Site-Dumps/index-of/index-of.co.uk/INFOSEC/w3af...Introduction This document is the users guide for the Web Application Attack and Audit

Fast Algorithms for Time Series with applications to Finance, Physics, Music and other Suspects Dennis Shasha Joint work with Yunyue Zhu, Xiaojian Zhao,