A quick and easy web scanner and analyzer tool
You can see the usages with the help
command:
fwa --help
In development mode, install deps with: poetry install
, then use with poetry run fwa
Records a new session:
fwa record <session name>
it starts a proxy on 127.0.0.1:8080
By default, the session will run in interactive
mode. You can stop it with ctrl+C
.
If the session runs in background
model (--background flag
) you can stop it with:
fwa stop-record
To repeat the session:
fwa replay <session name>
To fuzz a session:
fwa fuzz <session name>
Options:
--payload-file TEXT The csv payload in the form <payload>,<payload_type> [default: payloads.csv] │
--cookies --no-cookies If set, fuzz the cookies [default: no-cookies] │
--querystring --no-querystring If set, fuzz the params in the query string [default: no-querystring] │
--body --no-body If set, fuzz the params in the body [default: no-body] │
--headers --no-headers If set, fuzz the headers [default: no-headers] │
Analyze a session and generate a csv
.
fwa analyze <session name>
Args:
session_name (str, optional): _description_. Defaults to typer.Argument(..., help="The base session name").
fuzz_session_name (Optional[str], optional): _description_. Defaults to typer.Argument("", help="The fuzzing session name").
payload_file (str, optional): _description_. Defaults to typer.Argument("payloads.csv", help="The csv payload in the form <payload>,<payload_type>").
analyzers (_type_, optional): _description_. Defaults to typer.Option("", help="The analyzers' folder").
output (_type_, optional): _description_. Defaults to typer.Option('observations.csv', help="Detected observations").
"""
The command receives the observations_file and detects vulnerabilities through the "oracle"
fwa oracle <observation file>
- Run
fwa list
to initialize the project. - Copy the owasp sessions located in the
tests/owasp
folder in the~/.fwa/sessions
folder:
cp tests/owasp/* ~/.fwa/sessions
- Run the OWASP benchmark
cd tests/owasp/vm
make run-benchmark
- Setup the
fwa recorder
in order to intercept only the required requests. For example, forXSS
:
fwa record https://localhost:8443/benchmark/xss owasp-xss
- Run the
BenchmarkUtils
script:
bash runCrawler.sh 127.0.0.1 8080
You can evaluate if all the requests are properly acquired with the list_entries.py
script.
python list_entries.py ~/.fwa/sessions/owasp-lfi.har
=> The file contains 268 entries
# Right, according to https://owasp.org/www-project-benchmark/
The source code is developed by using poetry and typer.
To manage the CI flow, we use git flow to develop the software.
Features must be merged in the develop
branch.
To start:
-
Initialize:
git flow feature start analyzer-module
-
Commit the changes
git add -A; git commit -am "<msg>"
- Finish
git flow feature finish analyzer-module
A new release creates a release branch from the develop one.
- Update the version in the
pyproject.toml
- Run
git flow release start <version>
- Run
git flow release publish <release>