The Web Local



Web Application Attack and Audit Framework (W3AF)

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.


The project uses a number of disparate plugins to carry out an audit against a target website, the main ones being:


  • Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”. A classic example of a discovery plugin is a web spider. This plugin takes a URL as input and returns one or more injection points. When a user enables more than one plugin of this type, they work recursively: If plugin A finds a new URL in the first run, the w3af core will send that URL to plugin B. If plugin B then finds a new URL, it will be sent to plugin A. This will go on until all plugins are run and no more knowledge about the application can be found using the enabled discovery plugins.

  • Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. A classic example of an audit plugin is one that searches for SQL injection.

  • Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, or a dump of remote databases in case of SQL injections.


The plugins find the URLs, discover the bugs and exploit them. The complete list of plugins types is:

  • audit

  • bruteforce

  • discovery

  • evasion

  • exploit

  • grep

  • mangle

  • output

It is available from here.





pyOpenSSL - yum install pyOpenSSL

Bundled with w3af:

cd w3af/extlib

cd fpconst-0.7.2
python install

cd pygoogle
python install

cd pywordnet
python install

cd SOAPpy
python install

cd pyPdf
python install



Either command-line of gtk GUI are available

./w3af [options]

-h Print this help message.
-s <file> Execute a script file.
-g Run GTK user interface.
-i <dir> Directory where MSF is installed (only used to install the virtual daemon).
-p <profile> Run with the selected profile

./w3af -g brings up the GUI,

right click empty profile and select and appropriate name for the new profile. 

Select the requisite plugins you want to test against the site

Insert the url of the target.

After pressing start you are taken to the log tab which records all associated output generated by the tool and hopefully any vulnerabilities found:



Selecting the results tab will provide more details of problems within the site:


The final tab exploit will actually allow you to launch any found exploits :-)


This is a really nice tool and getting better with every release, one to have!

IT Security News:


Pen Testing Framework:


Latest Tool Reviews: