w3af - Web Application Attack and Audit Framework

w3af - Web Application Attack and Audit Framework

w3af is an open source web application security scanner that allows you to secure your web applications by finding and exploiting all web application vulnerabilities.

It can identify 200+ vulnerabilities, including Cross-Site Scripting, SQL injection and OS commanding.

It is a complete environment for auditing and exploiting Web applications. This environment provides a solid platform for web vulnerability assessments and penetration tests.


  • Git client
  • Python 2.7
  • Pip version 1.1

Main Plugin Types

The framework has three main plugins types: crawl, audit, and attack.

  • Crawl plugins:
They have only one responsibility, finding new URLs, forms, and other injection points. A classic example of a discovery plugin is the web spider. This plugin takes a URL as input and returns one or more injection points.

When a user enables more than one plugin of this type, they are run in a loop: If "plugin A" finds a new URL in the first run, the w3af core will send that URL to "plugin B". If "plugin B" then finds a new URL, it will be sent to "plugin A". This process will go on until all plugins have run and no more information about the application can be found.

  • Audit plugins:
Take the injection points found by crawl plugins and send specially crafted data to all in order to identify vulnerabilities. A classic example of an audit plugin is one that searches for SQL injection vulnerabilities by sending a'b"c to all injection points.

  • Attack plugins:
Their objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, or a dump of remote tables in the case of SQL injection exploits.

Other Plugins

  • Infrastructure:
Identify information about the target system such as installed WAF (web application firewalls), operating system and HTTP daemon.

  • Grep:
Analyze HTTP requests and responses which are sent by other plugins and identify vulnerabilities. For example, a grep plugin will find a comment in the HTML body that has the word "password" and generate a vulnerability.

  • Output:
The way the framework and plugins communicate with the user. Output plugins save the data to a text, XML or HTML file. Debugging information is also sent to the output plugins and can be saved for analysis.

Messages sent to the output manager are sent to all enabled plugins, so if you have enabled text_file and xml_file output plugins, both will log any vulnerabilities found by an audit plugin.

  • Mangle:
Allow modification of requests and responses based on regular expressions, think "sed (stream editor) for the web".

  • Bruteforce:
Bruteforce logins found during the crawl phase.

  • Evasion:
Evade simple intrusion detection rules by modifying the HTTP traffic generated by other plugins.

No comments

Powered by Blogger.