Official docker image for w3af
There are two different Docker images for w3af: stable and unstable. The
stable image is built from the master branch in the project repositories while
unstable is built from develop. Choose wisely, as usual unstable releases have
more features but also potential bugs.
-
In order to use w3af's docker image you'll first have to install docker
-
Then run these commands, please notice that the first time these commands are run the script will download a docker image from the registry, which might take between 1 and 5 minutes depending on your internet connection speed:
git clone https://github.com/andresriancho/w3af.git
cd w3af/extras/docker/scripts/
sudo ./w3af_console_docker
Running the unstable version is trivial (but dangerous since it might yield
unexpected results):
sudo ./w3af_console_docker -t unstable
When starting w3af using the w3af_console_docker or w3af_gui_docker commands
the docker containers are started with two volumes which are mapped to your
home directory:
-
~/.w3af/from your host is mapped to/root/.w3af/in the container. This directory is mostly used by w3af to store scan profiles and internal data. -
~/w3af-sharedfrom your host is mapped to/root/w3af-sharedin the container. Use this directory to save your scan results and provide input files to w3af.
When you first run sudo ./w3af_console_docker the helper script downloaded the
latest available docker image for w3af. Since we're improving our scanner almost
every week, you might want to get the latest docker image by running:
sudo docker pull andresriancho/w3af
The container runs a SSH daemon, which can be used to both run the w3af_console
and w3af_gui. To connect to a running container use root as username and
w3af as password. Usually you don't need to worry about this, since the helper
scripts will connect to the container for you.
Another way to debug the container is to run the script with the -d flag:
$ sudo ./w3af_console_docker -d
root@a01aa9631945:~#
The docker container provided at the public docker hub is enough for most users, but if you want to customize or improve the container we recommend using the provided build helper script:
$ cd w3af
$ # <your changes to w3af here>
$ cd extras/docker/
$ pip install --upgrade docker-tag-naming
$ sudo ./docker-build-local.sh
...
This will build a local image named andresriancho/w3af with the latest git
commit as tag. Run docker images to find the created tag and then:
sudo ./w3af_console_docker -t <image-tag>
Don't bind w3af's docker image to a public IP address unless you really know what you're doing! Anyone will be able to SSH into the docker image using the hard-coded SSH keys!
We still need to figure out (and add to this documentation) the best way for users to be able to perform these tasks:
- Passing parameters to the docker: scripts, profiles, dictionary files (how do I run ./w3af_console -s foo.w3af ?). I believe that the helper script would have to "forward" the parameters to the docker run command. #8461
- Run the GUI environment #8460
- Remove root requirement for helper script #8493
Want to help? Just follow the link to the task and add a comment saying you'll be working on it.