w3af: A Highly Effective, Open Source Web App Auditing and Exploitation Tool (2024)

November 24, 2015

Last Updated on January 16, 2024

The Web Application Attack and Audit Framework (w3af) is an open source framework for auditing and exploitation of web applications. For businesses whose IT budgets aren’t hefty enough to purchase proprietary, enterprise-class tools like IBM Security AppScan or Cenzic Hailstorm (now Trustwave App Scanner Enterprise), w3af is also highly effective and the price is right.
You can use w3af to identify over 200 vulnerabilities to reduce your site’s risk exposure. The framework is “proudly developed using Python and is easy to use and extend.”
In this post I’ll illustrate some of the features of w3af, and show you how to use to scan an application using the command line interface (CLI). w3af is a powerful and popular tool that is comparatively easy to use and extend.
In this article we will demonstrate of a scanning an application using CLI, overview of different plugins and how communication happens between different plugins.
w3af has a number of plugins, which can communicate with one another. For example, the Discovery plugin can identify different URLs for the application and pass its results to the Audit plugin, which can then use the URLs to search for vulnerabilities. The Exploit plugin can then be used to exploit any identified vulnerabilities.
w3af has a wide range of features, including fuzzing and manual request generation (great for manual web app testing). It can also be configured as a “man-in-the-middle” proxy, so that intercepted requests can be sent to the request generator to support manual web app testing.
To open up the w3af console, type the command shown below. You may be asked to update the w3af repository.

Figure 1: w3af Console

To list the available commands. type “help”:

Figure 2: w3af help

To list the available plugins, type “plugins.” To see the list of command options available for a plugin, type the plugin name. For example, typing “keys” shows you the list of shortcut keys in w3af:

Figure 3: Keys command

To get a help listing for any plugin, just type “help <PluginName>.” For example, to get details on the Discovery plugin, type “help Discovery”:

Figure 4: Discovery plugin

Here’s a quick overview of a few of the many, many w3af plugins available thanks to the tool’s strong community. For more information, check out the w3af documentation.
Discovery: The Discovery plugins crawls the specified application and finds URLs and forms that can be used by other plugins to locate vulnerabilities. There are many Discovery plugins available; e.g., spiderMan, hmap, googleSpider and so on. You can enable one or more plugins as needed. To see list of discovery plugins, just type “discovery.”

Figure 5: List of discovery plugins.

To get the information on the certain plugin we can type “discovery desc <pluginaname>.” For instance, if you want to see description for plugin xssedDotCom, type “discovery desc xssedDotCom.”

Figure 6: XSSedDotCom Description

Some other commonly used discovery commands include:

  1. To enable more than one plugin: discovery plugin1, plugin2
  2. To enable all plugins: discovery all
  3. Removes all enabled plugins: discovery !all
  4. List enabled plugins: list discovery enabled

Figure 7: Some more discovery commands

Audit: The Audit plugin identifies vulnerabilities on the URLs identified by the Discovery plugin. The Audit plugin can test for different types of vulnerabilities, like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. It performs its tests by injecting different sets of strings and verifying the responses.
To get information about the XSS plugin, type “audit desc xss.”

Figure 8: XSS Plugin description

As the screen shot above shows, there are two configurable parameters available for the XSS plugin. To set numberOfChecks to a high number, type this command:

Figure 9: Configuring XSS parameters

Grep: The Grep plugin works similarly to passive scanning, and helps to find interesting information by analyzing request and response. It can find out information like credit card information, forms with file upload functionality, email addresses, and so on. You can configure the various Grep plugins per your requirements. But make sure you enable the Discovery plugin; otherwise the Grep plugin will be of little use since it can only analyze request and response.

Figure 10: Grep Plugin for file upload

Output: The Output plugin can help you to see the results of your scans in various formats. w3af supports multiple formats, including XML, Console, HTML, text, and more. Different configuration parameters are available, like filename, verbosity, etc. For example, set Verbose to True to get detailed output on the scanned application.
Hopefully this brief introduction will encourage you to try running w3af against your applications, if only to get a sense of what vulnerabilities you need to address. That said, application vulnerability testing and exploitation is a professional specialty.
Depending on the information security risk associated with an application it’s often a good idea to engage a skilled third party to scan your critical applications or even review the source code. For more information, contact Pivot Point Security.

w3af: A Highly Effective, Open Source Web App Auditing and Exploitation Tool (2024)


What is w3af used for? ›

w3af (Web Application Attack and Audit Framework) is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications.

Is w3af a vulnerability scanner True or false? ›

AI-generated answer. The statement "O w3af is a vulnerability scanner" is true. W3af stands for "Web Application Attack and Audit Framework." It is an open-source web application security scanner used to identify vulnerabilities in web applications.

What is the W3af tool in Kali? ›

W3af stands for Web Application Audit and Attack Framework. It is an open source, Python-based Web vulnerability scanner. It has a GUI and a command-line interface, both with the same functionality. In this recipe, we will perform a vulnerability scan using W3af's GUI to configure the scanning and reporting options.

What is a web vulnerability scanner tool? ›

What is a web vulnerability scanner? Vulnerability scanners are automated tools that scan web applications to look for security vulnerabilities. They test web applications for common security problems such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).

What is the use of vulnerability database? ›

Vulnerability databases can be used to query the known vulnerabilities associated with system applications. A risk ranking exists for each published vulnerability and can be used to prioritize attacks within a penetration test.

What is Acunetix web vulnerability scanner used for? ›

Acunetix is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting, and other exploitable vulnerabilities.

What is Agentless vulnerability scanning? ›

Agentless scanning for virtual machines (VM) provides: Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management. Deep analysis of operating system configuration and other machine meta data. Vulnerability assessment using Defender Vulnerability Management.

Which is a database vulnerability scanner? ›

Database Scanners are a specialized tool used specifically to identify vulnerabilities in database applications. In addition to performing some external functions like password cracking, the tools also examine the internal configuration of the database for possible exploitable vulnerabilities.

Top Articles
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated:

Views: 6380

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.