Automated W3AF Scanning with Slack Alerting

I have recently been  automating a lot of my technical security tasks and building slack bots around them and it was w3af‘s turn.   W3af is an amazing open source web application security scanner that my friend Andres Riancho writes and maintains.
The goal of this project was to build scheduled and automated scans of my web properties with pdf reporting and slack alerting:
Configuration is fairly easy.

  • Create a SlackBot and copy API Key.
  • Update and install needed software on server:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get w3af
  • Install wkhtml2pdf in headless mode.
  • Create necessary folders:
    sudo mkdir /w3af
  • Copy this shell script and up token:

https://gist.github.com/jgamblin/ae1bdb24113788e70b91d0cc826a163f

  • Copy this w3af config file:

https://gist.github.com/jgamblin/2133162778e1d438f57114946b6244d6

  • Copy this line to your crontab to run this scan every night at midnight:
    00 00 * * * ./w3af/w3af.sh
  • Enjoy automated w3af scans with slack alerting.

Site Footer