w3af inside docker¶
w3af inside docker should be transparent for most use cases, this page
documents the use cases which are complex to solve when docker is added to the
Ports and services¶
Some w3af plugins, such as
audit.rfi start proxy
HTTP services. In order to access these services the plugins need to be
configured to listen on
0.0.0.0 and the port needs to be made accessible
to the host using the
-p parameter in the helper script
Take a look at this commit for more information about exposing ports.
Debugging the container¶
The container runs a SSH daemon, which can be used to both run the
w3af_gui. To connect to a running container use
root as username and
w3af as password. Usually you don’t need to worry about this, since the helper
scripts will connect to the container for you.
Another way to debug the container is to run the script with the
$ sudo ./w3af_console_docker -d root@a01aa9631945:~#
WARNING: Don’t bind w3af’s docker image to a public IP address unless you really know what you’re doing! Anyone will be able to SSH into the docker image using the hard-coded SSH keys!