FAQ Features Plugins Documentation License Download Author Sponsors
Mailing List #w3af IRC Channel Community
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives, please click over the Project Objectives item in the main menu. This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge project page .
If you are here just to "take a look" please watch the w3af video demos!
Project news
- w3af - And now, with a stable core - Wed, 25 May 2011 13:10:06 GMT
- w3af 1.0-rc5: Better, Stronger, Faster - Tue, 18 Jan 2011 18:26:49 GMT
- 1.0-rc4 is ready for you to download! - Tue, 02 Nov 2010 16:21:59 GMT
- w3af On the Rise - Wed, 28 Jul 2010 15:32:39 GMT
- Release candidate three is out! - Wed, 31 Mar 2010 02:55:20 GMT
- Since our latest w3af release in mid January, and our new windows installer release a couple of months ago, we've got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we're here!
In this latest release, we bring you a couple of the most important improvements of our framework:
* Stable code base, an improvement that will reduce your w3af crashes to a minimum. We've been working on fixing all of our long-standing bugs, wrote thousands of lines of doctests and various types of automation to make sure we can also keep improving without breaking other sections of the code.
* Auto-Update, which will allow you to keep your w3af installation updated without any effort. Always get the latest and greatest from our contributors!
* Web Application Payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you'll see in web application security! We created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server. Keep an eye on this blog for an entry completely dedicated to this subject!
* PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting a vulnerability try: "payload php_sca", that will download the remote PHP code to your box and analyze it to find more vulnerabilities!
And many others, such as:
* Refactoring of HTTP cache and GTK user interface code to store HTTP requests only once on disk (5% performance improvement)
* Performance improvement in sqlite database by using indexes (1% performance improvement)
* Huge w3af code-base refactoring on how URLs are handled. Moved away from handling URLs as strings into a url_object model. This reduces the number of times a URL is parsed into its component pieces (protocol, domain, path, query string, etc.) and put back together into a string, which clarifies the code and makes it run faster.
We have a stable release, w00t! Hmmmm.... have we finished? Should we go home? No! We still have work to do; there are still features and capabilities we'd like to add. For example,as you read this, we're working on integrating the multiprocessing module into w3af's code, with the objective of using more than one CPU core at the same time and substantially improve our scanning speed. We're also working on handling of encodings by the use of unicode strings across the whole framework, and making the user experience more intuitive by changing bits and pieces of the graphical user interface.
As usual, you can get our latest installable packages from the download section of this site, just download and enjoy our latest improvements!
- Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan. Here's what's new:
* Now using bloom filters instead of sqlite3 databases, which are persistent on disk, effectively increasing scan performance by about 15%!
* Fixed most of the bugs that cause w3afMustStopExceptions and wrote debugging code to allow us to identify the remaining ones.
* Based on many community requests we've updated our XML output plugin and wrote an XSD file to help other tools parse the output from our scanner.
* Added new plugin to measure the number of hops for port 80 vs 443 and perform a comparison. Which is useful to identify load balancers, reverse proxies and any other network appliances.
On top of that, we've also worked on writing unit tests and a continuous integration system that we'll use for testing our code each night. When we complete this task, we'll be able to deliver high quality code on each release, with fewer bugs and no regressions.
- This is one of those great moments in the life of a project, a moment that I've been dreaming about for a couple of years. We're releasing a new version of w3af, but that's not important. The major achievement is the story behind the release, the effort put in this release by all the contributors, Javier Andalia (our core developer) and Rapid7 (the company that allows all this to happen).
For the first time in the project's life, we have a roadmap [0] , a prioritized backlog [1] and a structured development process we follow to deliver new features and fixing bugs.
The efforts for this release have been major, some of them haven been really organized like our sprints that started one month ago [2][3] and some others can be tracked through the SVN logs, like Taras' great improvements of the GUI.
Just to name a few things we've done for this release:
* We've written new HOWTO documents for our users
* Considerably improved the speed of all grep plugins
* Replaced Beautiful Soup by the faster libxml2 library
* Introduced the usage of XPATH queries that will allow us to improve performance and reduce false positives
* Fixed hundreds of bugs
On this release you'll also find that after exploiting a vulnerability you can leverage that access using our Web Application Payloads, a feature that we developed together with Lucas Apa from Bonsai Information Security. These payloads allow you to escalate privileges and will help you get from a low privileged vulnerability (e.g. local file read) to a remote code execution. In order to try them, exploit a vulnerability, get any type of shell and then run any of the following commands: help, lsp, payload tcp (the last one will show you the open connections in the remote box).
We still have tons of things to do, but for the first time in the project's life we have a defined process that will make us achieve our objectives.
[0] https://sourceforge.net/apps/trac/w3af/roadmap
[1] https://sourceforge.net/apps/trac/w3af/report/1
[2] https://sourceforge.net/apps/trac/w3af/query?group=status&milestone=owls-sprint-1
[3] https://sourceforge.net/apps/trac/w3af/query?group=status&milestone=owls-sprint-2
- I have been passionate about the Web application security field for years which is why I developed w3af. Some have even it called it the “Metasploit” of Web application security. Over the last year or so, I have been thinking how I can personally help to raise the bar for Web application security even further and turn w3af into one of the leading open source security projects.
I am therefore very excited that today I am announcing that Rapid7 is sponsoring the w3af project and that I will be joining Rapid7 as Director of Web security to spearhead Rapid7’s worldwide Center of Excellence (COE) for Web security. The first immediate result of the sponsorship is that I have already hired a first employee at the COE and will be looking to staff several other engineering positions here in Argentina.
To be clear, Rapid7 is not acquiring w3af. I will keep the keep the project open source, with no plans to change the license or the community development model. What will be changing is how fast we integrate new features, and release new versions with Rapid7’s support. I will still be involved in w3af's development process with the classical role of project leader (or Benevolent Dictator For Life or BDFL as some like to call it), but with more time to design the heuristics and algorithms required to maintain the framework as a world class Web application security solution. By creating a COE and sponsoring w3af, Rapid7 will benefit from the extensive security research experience of w3af and use this to enhance its existing NeXpose product line.
I am so excited about the sponsorship and me joining Rapid7 for a number of reasons.
First, Rapid7 has proven that they understand the community and how the cross pollination between open source and commercial solutions can lead to exceptional results. Proof in point is the way Rapid7 has handled the Metasploit Project. It has created commercial versions on top of the open source framework while at the same time accelerating the value of the project. Since getting involved with Metasploit in October 2010, Rapid7 has funded a full-time development team for Metasploit and has released five versions of the open source framework.
Second, Rapid7 has amazing products and technology.Rapid7 has been developing an amazing vulnerability management product in the market for 10 years and has now gained a leadership position in penetration testing with the support of Metasploit as well. What stood out particularly for me is what investment Rapid7 has already made in Web application security. NeXpose is the only vulnerability management solution that has scanning capabilities that address Web 2.0 and AJAX technologies. With this functionality as a baseline, I truly believe that the cross-pollination of w3af and Rapid7 NeXpose will lead to best in class Web application security technology in the near future.
Lastly, w3af will only get better. It will remain free. Like with the Metasploit Framework, w3af will still be open source, which is the reason why it has been so successful. w3af's license and copyrights remain the same. What will change is that you will see a lot more support behind the project. As a matter of fact I am hiring right now so if you are a developer with Python skills and are good at Web application security, please contact me at andres_riancho@rapid7.com.
- The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:
* Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
* Increased speed by rewriting parts of the thread management code
* Fixed tons of bugs
* Reduced memory usage
* Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
* Reduced false positives
Trainings and talks
A Web Application Security Training is going to be delivered by Andrés Riancho in Buenos Aires! This course is designed for developers, hackers, QA experts and even CSO's. Don't miss this opportunity to train yourself with one of the best professionals in the field.
Documentation
We are actively working on the documentation. Documentation of the project is created
using
epydoc
. We think that documentation is a really important part of every Open Source project and it will be taken really seriously.
Official documentation:
-
The
w3af user's guide
can be found
here
.
-
A French translation of the users guide made by Jerome Athias can be found
here
.
-
The epydoc documentation for w3af can be found
here
.
-
The presentation materials used at the T2 conference can be found
here
.
External resources:
-
Josh Summit wrote a two part tutorial of w3af on his blog:
1
,
2
.
- Fuzion wrote a windows installation tutorial on his blog .
Prerequisites and Installation
The installation procedure and the project prerequisites can be found in the users guide, which is available here.
topMailing List and IRC channel
w3af has three mailing lists, one for
users
where end users can ask questions about the framework usage and its features; a
developers
mailing list were new features and advanced topics are discussed; and a third one which is used to
notify
developers about svn commits and tasks that have been created.
The mailing lists are open for any questions regarding w3af, but please read the documentation, the user guide and the mailing list archives before asking. For more information about the mailing lists, you can visit this the sourceforge page:
Mailing list information
The w3af project also has an official IRC channel, where users and developers join to exchange ideas:
#w3af channel at the Freenode IRC network
License
w3af is an
Open Source
software package. It is licensed under the
GNU General
Public License Version 2.
Download
- Download one of the release packages, which include files for Windows and Linux.
- Get the latest (and unstable) version from the development SVN using this command:
svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af
- Download the Samurai Live CD, which has w3af preinstalled with all the dependencies but at this point the LiveCD does not include 1.0-rc3.
- Or run "apt-get install w3af" in your Debian system and get 1.0-rc2
top
Author
Andrés Riancho is an information security researcher, Director of Web security at Rapid7 and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.
His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).
For any issues with the framework, please subscribe to the mailing list and make your questions there, for personal questions you can contact me at: andres -dot- riancho [at] gmail +dot+ com . This request is not in vain, if all w3af users send their emails directly to me and I answer them privately, no community is created and no synergy is achieved.
top