Vulnerabilities / Threats
8/2/2010
05:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Metasploit To Get More Powerful Web Attack Features

Rapid7 sponsors open-source w3af Web assessment and exploit project

A popular open-source Web application attack and audit framework is now under the umbrella of Rapid7, the vulnerability management company that purchased the Metasploit Project last year. The w3af project ultimately will bring more Web security features and functions to both the Metasploit tool and Rapid7's commercial NeXpose product.

Click here for more of Dark Reading's Black Hat articles.

The open-source Metasploit penetration-testing tool currently has exploits for a handful of Web application bugs, as well as a few for generic Web flaws that affect multiple applications, says HD Moore, chief architect of Metasploit and chief security officer at Rapid7. But the goal is to expand Metasploit with more integrated Web flaw detection and attack features.

"Where we are moving to is toward dynamic detection and exploitation of vulnerabilities in custom applications and in known-vulnerable applications installed in nonstandard directories," Moore says. "So [we're] combining [Web] crawling with scanning to find vulnerable applications and then apply 'generic' Web application exploit modules against those to get access.

"The WMAP [plug-in] code in Metasploit is a good start, but we are looking at making the entire process much smoother."

Last week at Black Hat USA Rapid7 announced it had launched a new open-source initiative for Web security called the Worldwide Center of Excellence (COE). As part of the COE, Rapid7 is now sponsoring and partnering with the open-source Web application attack and audit framework w3af, and has hired its founder, Andres Riancho, as director of Web security and leader of the open-source Web program. The arrangement is somewhat similar to what Rapid7 did with its purchase of Metasploit -- keeping the open-source framework's creator at the helm of the project as well as hiring him in-house.

The w3af platform includes specific Web tools for specific tasks, such as Web assessments, scanning, and brute-force attacks. It also contains a "fancy UI [user interface]," Moore notes.

Meanwhile, Rapid7's commercial NeXpose product also will benefit from the w3af partnership. Rapid7 plans to enhance its NeXpose Web app scanner's performance and accuracy, as well as expand its vulnerability detection scope and support for client-side technologies, the company said in its announcement of the w3af deal. It also will add full-time developers to the w3af open-source project, while the w3af license and copyright will remain intact as is.

"Rapid7 is leveraging Andres' knowledge of the Web application space to expand the Web application coverage in NeXpose, [but] there aren't any direct code merges at this time," Moore says.

In addition, look for Riancho to play a role in shaping the future Web hacking features of Metasploit. "We plan to expand our coverage of the Web application penetration-testing space in Metasploit, and Andres will be contributing to that process as well," Moore says. Moore says he will release a road map for Metasploit in the next month or two, which will include more details on how it will integrate with w3af.

"Rapid 7 has made a smart move by keeping the momentum they started with Metasploit with w3af. They now have best-of-breed system-level and Web application attack frameworks," says David Maynor, CTO with Errata Security. "It seems like Rapid7 is quickly sounding the death knell for traditional scanner technology."

Meanwhile, as part of Rapid7 Metasploit has been downloaded or updated by more than 740,000 people in the first half of this year, a number the company says is two times the number of participants who did so in the second half of 2009.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.