Vulnerabilities / Threats
8/2/2010
05:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Metasploit To Get More Powerful Web Attack Features

Rapid7 sponsors open-source w3af Web assessment and exploit project

A popular open-source Web application attack and audit framework is now under the umbrella of Rapid7, the vulnerability management company that purchased the Metasploit Project last year. The w3af project ultimately will bring more Web security features and functions to both the Metasploit tool and Rapid7's commercial NeXpose product.

Click here for more of Dark Reading's Black Hat articles.

The open-source Metasploit penetration-testing tool currently has exploits for a handful of Web application bugs, as well as a few for generic Web flaws that affect multiple applications, says HD Moore, chief architect of Metasploit and chief security officer at Rapid7. But the goal is to expand Metasploit with more integrated Web flaw detection and attack features.

"Where we are moving to is toward dynamic detection and exploitation of vulnerabilities in custom applications and in known-vulnerable applications installed in nonstandard directories," Moore says. "So [we're] combining [Web] crawling with scanning to find vulnerable applications and then apply 'generic' Web application exploit modules against those to get access.

"The WMAP [plug-in] code in Metasploit is a good start, but we are looking at making the entire process much smoother."

Last week at Black Hat USA Rapid7 announced it had launched a new open-source initiative for Web security called the Worldwide Center of Excellence (COE). As part of the COE, Rapid7 is now sponsoring and partnering with the open-source Web application attack and audit framework w3af, and has hired its founder, Andres Riancho, as director of Web security and leader of the open-source Web program. The arrangement is somewhat similar to what Rapid7 did with its purchase of Metasploit -- keeping the open-source framework's creator at the helm of the project as well as hiring him in-house.

The w3af platform includes specific Web tools for specific tasks, such as Web assessments, scanning, and brute-force attacks. It also contains a "fancy UI [user interface]," Moore notes.

Meanwhile, Rapid7's commercial NeXpose product also will benefit from the w3af partnership. Rapid7 plans to enhance its NeXpose Web app scanner's performance and accuracy, as well as expand its vulnerability detection scope and support for client-side technologies, the company said in its announcement of the w3af deal. It also will add full-time developers to the w3af open-source project, while the w3af license and copyright will remain intact as is.

"Rapid7 is leveraging Andres' knowledge of the Web application space to expand the Web application coverage in NeXpose, [but] there aren't any direct code merges at this time," Moore says.

In addition, look for Riancho to play a role in shaping the future Web hacking features of Metasploit. "We plan to expand our coverage of the Web application penetration-testing space in Metasploit, and Andres will be contributing to that process as well," Moore says. Moore says he will release a road map for Metasploit in the next month or two, which will include more details on how it will integrate with w3af.

"Rapid 7 has made a smart move by keeping the momentum they started with Metasploit with w3af. They now have best-of-breed system-level and Web application attack frameworks," says David Maynor, CTO with Errata Security. "It seems like Rapid7 is quickly sounding the death knell for traditional scanner technology."

Meanwhile, as part of Rapid7 Metasploit has been downloaded or updated by more than 740,000 people in the first half of this year, a number the company says is two times the number of participants who did so in the second half of 2009.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?