5

I've been messing around with DVWA (Damn vulnerable web application) and w3af. I've been scanning DVWA with w3af, and have used the spiderMan proxy and http config to setup auth credentials to get past the login screen of DVWA, but w3af still doesn't seem to be finding any sql injection anywhere (which is guaranteed).

I've seen a few vague tutorials online showing it to be trivial, but even when tweaking my setup in a few ways I still have yet to see it detect SQLi.

Anyone have an suggestions or ideas as to why this may be an issue?

Thanks in advance!

DJSunny
  • 413
  • 4
  • 9

2 Answers2

4

You need to configure w3af not to spider the logout link.

lisa17
  • 1,968
  • 7
  • 21
  • 43
2

w3af is an awful vulnerability scanner and in general a very primitive attack platform. I tried porting one of my WAF bypasses and I was unable to because it isn't designed very well.

You will have better results with Wapiti or Skipfish. For automated exploitation sqlmap is the tool to use. Sqlmap is a fantastic tool. It has much better WAF bypass support than w3af and supports a wider verity of databases. sqlmap is the tool that I use for leveraging flaws in a pentest.

If you want to test real applications that are very insecure you would download the Vulnerable_blog and Vulnerable_shop found here.

rook
  • 47,004
  • 10
  • 94
  • 182
  • I'm mainly just trying to use w3af to point out places to look deeper, at which point I have been using sqlmap for instance. I haven't yet checked out Wapiti or Skipfish yet though, so I will take a look. In terms of a general scanner to just survey and report possibly weaknesses what's your best recommendation? (something that can get past a login screen with provided credentials is pretty key in my situation). Thanks for the reply! – DJSunny Feb 24 '12 at 16:36
  • 1
    @csjohn Well in terms of free and open source scanners wapiti and skipfish are the best, and they both have their own strengths and weaknesses. But by far my favorite scanner is the one I built: https://sitewat.ch/ – rook Feb 24 '12 at 16:39
  • @csjhon check out Arachni (arachni-scanner.com) , it's a decent vulnerability scanner written in ruby with a web interface. I use it with w3af (which is not that bad) and Skipfish. SQLmap is a SQL injection exploitation tool. It is not a web vulnerability scanner and it will only help you find and exploit SQL injection issues. – lisa17 Apr 04 '12 at 20:16
  • @csjohn for more open source web scanning tools check out my answer here: http://security.stackexchange.com/a/13487/4508 – lisa17 Apr 06 '12 at 14:28