Published on June 6th, 2014 📆 | 4821 Views ⚑0
ByWaf – Web Application Penetration Testing Framework
ByWaf is a Web Application Penetration Testing Framework (WAPTF). It consists of a command-line interpreter and a set of plugins. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License.
The Bywaf application is built on Python’s built-in cmd.Cmd class. Cmd is a lightweight command interpreter loop that provides several useful facilities for the developer, including overridable hook methods and easy addition of commands and help. For the user, it offers commandline editing with readline, including automatic tab completion of commands, command options and filenames.
Bywaf contains a sub-classed version of Cmd called Wafterpreter, which adds some important additions, including:
- Loading and selecting plugins.
- Getting and setting global and per-plugin options.
- Additional methods exposing functionality to the plugins.
- Backgrounding jobs, ending running jobs and querying job status.
- Loading scripts from the the command-line or within the interpreter.
- Loading, saving, showing and clearing the command history.
Wafterpreter API and utility methods:
The Wafterpreter API encompasses methods used by both the plugins as well as the Wafterpreter’s own methods; this allows for plugins to refining its behavior by assigning their own methods in their place.
Utility methods are time-saving shortcuts; while the API methods are the preferred way to change the interpreter’s behavior and to perform queries for jobs.
- filename_completer(): a utility method and API that when given a set of starting and ending indices of the current word under the command-line cursor, returns the available filenames the word matches. This parameters to this method are supplied to completion methods, which can in turn pass them to this method.
- get_job(): this utility method retrieves a Futures instace from the Wafterpreter’s internal list of completed and running jobs, given its job ID. This is useful in querying information about individual jobs (see do_kill() for an example).
- finished_job_callback(): This overridable method is called upon the completion of a backgrounded job. It is used by the onecmd() method to notify the user when a backgrounded job has finished.
- set_prompt(): an API method for setting the prompt to reflect a new plugin name.
- get_history_item(): an API method returning the command history.
- save_history(): an API method for saving the command history to a file.
- load_history(): an API method for loading the command history from a file.
- clear_history(): an API method for clearing the command history.
- load_module(): a private low-level method for loading modules. Gets called by do_use(). There should not be a reason for its use outside that method.