Vulnerabilities / Threats
8/2/2010
05:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Metasploit To Get More Powerful Web Attack Features

Rapid7 sponsors open-source w3af Web assessment and exploit project

A popular open-source Web application attack and audit framework is now under the umbrella of Rapid7, the vulnerability management company that purchased the Metasploit Project last year. The w3af project ultimately will bring more Web security features and functions to both the Metasploit tool and Rapid7's commercial NeXpose product.

Click here for more of Dark Reading's Black Hat articles.

The open-source Metasploit penetration-testing tool currently has exploits for a handful of Web application bugs, as well as a few for generic Web flaws that affect multiple applications, says HD Moore, chief architect of Metasploit and chief security officer at Rapid7. But the goal is to expand Metasploit with more integrated Web flaw detection and attack features.

"Where we are moving to is toward dynamic detection and exploitation of vulnerabilities in custom applications and in known-vulnerable applications installed in nonstandard directories," Moore says. "So [we're] combining [Web] crawling with scanning to find vulnerable applications and then apply 'generic' Web application exploit modules against those to get access.

"The WMAP [plug-in] code in Metasploit is a good start, but we are looking at making the entire process much smoother."

Last week at Black Hat USA Rapid7 announced it had launched a new open-source initiative for Web security called the Worldwide Center of Excellence (COE). As part of the COE, Rapid7 is now sponsoring and partnering with the open-source Web application attack and audit framework w3af, and has hired its founder, Andres Riancho, as director of Web security and leader of the open-source Web program. The arrangement is somewhat similar to what Rapid7 did with its purchase of Metasploit -- keeping the open-source framework's creator at the helm of the project as well as hiring him in-house.

The w3af platform includes specific Web tools for specific tasks, such as Web assessments, scanning, and brute-force attacks. It also contains a "fancy UI [user interface]," Moore notes.

Meanwhile, Rapid7's commercial NeXpose product also will benefit from the w3af partnership. Rapid7 plans to enhance its NeXpose Web app scanner's performance and accuracy, as well as expand its vulnerability detection scope and support for client-side technologies, the company said in its announcement of the w3af deal. It also will add full-time developers to the w3af open-source project, while the w3af license and copyright will remain intact as is.

"Rapid7 is leveraging Andres' knowledge of the Web application space to expand the Web application coverage in NeXpose, [but] there aren't any direct code merges at this time," Moore says.

In addition, look for Riancho to play a role in shaping the future Web hacking features of Metasploit. "We plan to expand our coverage of the Web application penetration-testing space in Metasploit, and Andres will be contributing to that process as well," Moore says. Moore says he will release a road map for Metasploit in the next month or two, which will include more details on how it will integrate with w3af.

"Rapid 7 has made a smart move by keeping the momentum they started with Metasploit with w3af. They now have best-of-breed system-level and Web application attack frameworks," says David Maynor, CTO with Errata Security. "It seems like Rapid7 is quickly sounding the death knell for traditional scanner technology."

Meanwhile, as part of Rapid7 Metasploit has been downloaded or updated by more than 740,000 people in the first half of this year, a number the company says is two times the number of participants who did so in the second half of 2009.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.