Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation
I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.
Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.
My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.
You can try running it on python 2.6 but you’re likely going to run into an issue installing pybloomfiltermmap, well at least getting the app to recognize it, so best of luck. After messing with it for hours, python 2.7 worked flawlessly and it’s what I would recommend.
So, if you’re running a clean box with minimal components then this will be the post for you. If you run into issues on a more complete install, like Ubuntu, you can always reference this post as it’ll likely help.
Installation and Configuration
If you visit the download page of w3af you’ll see something like this:
If you’re a Linux, BSD or Mac user we recommend you download the source from out GitHub repository:
git clone https://github.com/andresriancho/w3af.git
cd w3af
./w3af_gui
That unfortunately is a highly simplistic explanation of the process. :) There will be a few more things you need to do.
Make sure you install git
# sudo apt-get install git
You’re also going to want to install the Python installer, pip
$ sudo apt-get install python-pip python-dev build-essential $ sudo pip install --upgrade pip $ sudo pip install --upgrade virtualenv
You will now need to install all the following:
$ sudo apt-get install python2.7 $ sudo pip install fpconst $ sudo pip install nltk $ sudo pip install SOAPpy $ sudo pip install pyPdf $ sudo apt-get install libxml2-dev $ sudo apt-get install libxslt-dev $ sudo pip install lxml $ sudo pip install pyopenssl
Download scapy-latest.tar.gz from here http://www.secdev.org/projects/scapy/ and use pip to install it:
$ sudo pip install scapy-latest.tar.gz << this threw a few errors but it seemed to do the trick regardless
You can then proceed with the rest of dependencies:
$ sudo apt-get install python-svn $ sudo pip install pybloomfiltermmap $ sudo apt-get install graphviz $ sudo apt-get install libgraphviz-dev $ sudo apt-get install libgraphviz $ sudo apt-get install python-gtk2 $ sudo apt-get install python-gtksourceview2 $ sudo apt-get install python-scapy
If you have gotten this far then you’re doing pretty good. The next steps should be easy enough:
$ git clone https://github.com/andresriancho/w3af.git $ cd w3af $ ./w3af_gui
If it works you’ll see something like this:
That’s a surprise, it used to work out of the box on my Fedora and BackTrack distros back in 2011. Truly, it’s a great and useful vulnerability scanner.
Still works on BackTrack out of the box. Not sure about Fedora, but remember I’m running a very clean box with nothing but the essentials. Amazing what you forget you need.
This is a test
First of all I wanted to thank you for the very informative article. I’m relatively new to Linux and was looking to get w3af installed to test some of the web applications my company builds. I was able to get through most of the installation thanks to your instructions, but I’m getting some errors that I was hoping you could help with. When trying to run the w3af installation I get the following:
Your python installation needs the following modules to run w3af:
github git.util esmre phply pdfminer concurrent.futures guess_language cluster msgpack ntlm
After installing any missing operating system packages, use pip to install the remaining modules:
sudo pip install PyGithub GitPython esmre pdfminer futures guess-language cluster msgpack-python python-ntlm
sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply
When I try running the first command (sudo pip install PyGithub GitPython esmre pdfminer futures guess-language cluster msgpack-python python-ntlm) I get the following:
Downloading PyGithub-1.13.1.tar.gz (1.7MB): 1.7MB downloaded
Exception:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/dist-packages/pip/basecommand.py”, line 139, in main
status = self.run(options, args)
File “/usr/local/lib/python2.7/dist-packages/pip/commands/install.py”, line 266, in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
File “/usr/local/lib/python2.7/dist-packages/pip/req.py”, line 1033, in prepare_files
self.unpack_url(url, location, self.is_download)
File “/usr/local/lib/python2.7/dist-packages/pip/req.py”, line 1161, in unpack_url
retval = unpack_http_url(link, location, self.download_cache, self.download_dir)
File “/usr/local/lib/python2.7/dist-packages/pip/download.py”, line 554, in unpack_http_url
download_hash = _download_url(resp, link, temp_location)
File “/usr/local/lib/python2.7/dist-packages/pip/download.py”, line 458, in _download_url
chunk = resp.read(4096)
File “/usr/lib/python2.7/socket.py”, line 380, in read
data = self._sock.recv(left)
File “/usr/lib/python2.7/httplib.py”, line 561, in read
s = self.fp.read(amt)
File “/usr/lib/python2.7/socket.py”, line 380, in read
data = self._sock.recv(left)
File “/usr/lib/python2.7/ssl.py”, line 241, in recv
return self.read(buflen)
File “/usr/lib/python2.7/ssl.py”, line 160, in read
return self._sslobj.read(len)
SSLError: The read operation timed out
Any help would be greatly appreciated.
Thanks! This saved me several hours of fiddling/swearing at my keyboard.
“Thanks! This saved me several hours of fiddling/swearing at my keyboard.”
Damn right, thanks buddy
Great instructions, and it works! I’ve struggled with the “overly simplistic” instructions as well (Has this EVER worked for anyone?). It’s too bad the ‘apt-get install w3f’ doesn’t work, either. The command works, and ~something~ gets installed, but nothing functional.
Thanks!
After a few attempts to install, I found a few updates to the instructions worth mentioning:
1) scapy is a zip file. So, it needs to be downloaded:
http://www.secdev.org/projects/scapy/scapy-x.y.z.zip
Then installed:
pip install scapy-x.y.z.zip
2) Fails:
pip install pybloomfiltermmap
need:
apt-get install libssl-dev
3) Fails:
./w3af_dependency_install.sh
need:
apt-get install libffi-dev
Hope his helps some people!