Vulnerabilities / Threats
8/2/2010
05:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Metasploit To Get More Powerful Web Attack Features

Rapid7 sponsors open-source w3af Web assessment and exploit project

A popular open-source Web application attack and audit framework is now under the umbrella of Rapid7, the vulnerability management company that purchased the Metasploit Project last year. The w3af project ultimately will bring more Web security features and functions to both the Metasploit tool and Rapid7's commercial NeXpose product.

Click here for more of Dark Reading's Black Hat articles.

The open-source Metasploit penetration-testing tool currently has exploits for a handful of Web application bugs, as well as a few for generic Web flaws that affect multiple applications, says HD Moore, chief architect of Metasploit and chief security officer at Rapid7. But the goal is to expand Metasploit with more integrated Web flaw detection and attack features.

"Where we are moving to is toward dynamic detection and exploitation of vulnerabilities in custom applications and in known-vulnerable applications installed in nonstandard directories," Moore says. "So [we're] combining [Web] crawling with scanning to find vulnerable applications and then apply 'generic' Web application exploit modules against those to get access.

"The WMAP [plug-in] code in Metasploit is a good start, but we are looking at making the entire process much smoother."

Last week at Black Hat USA Rapid7 announced it had launched a new open-source initiative for Web security called the Worldwide Center of Excellence (COE). As part of the COE, Rapid7 is now sponsoring and partnering with the open-source Web application attack and audit framework w3af, and has hired its founder, Andres Riancho, as director of Web security and leader of the open-source Web program. The arrangement is somewhat similar to what Rapid7 did with its purchase of Metasploit -- keeping the open-source framework's creator at the helm of the project as well as hiring him in-house.

The w3af platform includes specific Web tools for specific tasks, such as Web assessments, scanning, and brute-force attacks. It also contains a "fancy UI [user interface]," Moore notes.

Meanwhile, Rapid7's commercial NeXpose product also will benefit from the w3af partnership. Rapid7 plans to enhance its NeXpose Web app scanner's performance and accuracy, as well as expand its vulnerability detection scope and support for client-side technologies, the company said in its announcement of the w3af deal. It also will add full-time developers to the w3af open-source project, while the w3af license and copyright will remain intact as is.

"Rapid7 is leveraging Andres' knowledge of the Web application space to expand the Web application coverage in NeXpose, [but] there aren't any direct code merges at this time," Moore says.

In addition, look for Riancho to play a role in shaping the future Web hacking features of Metasploit. "We plan to expand our coverage of the Web application penetration-testing space in Metasploit, and Andres will be contributing to that process as well," Moore says. Moore says he will release a road map for Metasploit in the next month or two, which will include more details on how it will integrate with w3af.

"Rapid 7 has made a smart move by keeping the momentum they started with Metasploit with w3af. They now have best-of-breed system-level and Web application attack frameworks," says David Maynor, CTO with Errata Security. "It seems like Rapid7 is quickly sounding the death knell for traditional scanner technology."

Meanwhile, as part of Rapid7 Metasploit has been downloaded or updated by more than 740,000 people in the first half of this year, a number the company says is two times the number of participants who did so in the second half of 2009.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio