w3af - Web Application Attack and Audit Framework
w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. This project is currently hosted at SourceForge. For further information, you may also want to visit w3af SourceForge project page.
If you are here just to "take a look" these screenshots will show you what w3af can do:
- OS commanding detection and exploit (console user interface)
- OS commanding and DAV misconfiguration detection and exploit (console user interface)
- Blind SQL Injection exploit (console user interface)
- OS commanding detection and exploit (pyGTK user interface)
Project news
- beta6 release! - Sat, 12 Apr 2008 13:36:01 GMT
- Sponsors - Mon, 10 Mar 2008 01:37:11 GMT
- Help wanted - Sun, 24 Feb 2008 18:03:02 GMT
- Changes in SVN - Thu, 31 Jan 2008 21:07:47 GMT
- Random news - Wed, 02 Jan 2008 00:32:11 GMT
- I uploaded beta6 to sourceforge file release system some minutes ago. I released it today because I think that beta5 is really outdated and not many new users download the svn version, which creates some problems. Beta6 introduces some new features like the GTK user interface, new plugins and A LOT of bug fixes that were reported by our users.
I would like to thank everyone who contributed with this release, specially Sasha, Facundo and Ulises. I would also like to thank our sponsors, Cybsec and Openware for their support and their open source initiative.
I hope you enjoy it and please report any bugs! =) (0 comments)
- I would like to thank our sponsors, Cybsec (Platinum) and Openware (Gold) for their support and continuous help to the project. If you want to know more about them, visit the Sponsor link in the main menu. (0 comments)
- I would like to use this space to let everyone know that the w3af project is searching for contributors. The contributors I'm searching for are talented web application security hackers, python programmers, hacker wannabes, open source enthusiasts, or anyone that has some spare time and wants to help with the project and learn in the process. The TODO list for the framework is huge, and new ideas are always welcome. If you want to join our team, send an email to the w3af-develop list. (0 comments)
- For those who don't follow the developers mailing list, we have just made some changes to the SVN directory structure that may impact on your "svn update" process. After some talking with Sasha we decided to follow the best practices and use trunk and branches in the SVN. So, if you already performed a "svn co" you will need to go to your working copy directory and run: "svn switch https://w3af.svn.sourceforge.net/svnroot/w3af/trunk"
That command will replace the old URL with the new one, and will allow you to keep performing regular updates to get the latest goodies.
New users should just run "svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af" and start clean from there. (0 comments)
- To start this year I would like to thank all contributors for their work, w3af is a relatively new project and it would be impossible to keep growing at this rate without them.
I have some interesting news:
- There is a new plugin list online available at http://w3af.sourceforge.net/pluginDesc.php ; I believe that this list will attract new users and will benefit the project.
- I have been working on a series of bug reports made by Ulises Cuñé and a contributor from germany that prefers to remain anonymous(stupid laws...).
- Facundo Batista is working on a pyGTK user interface for w3af
- Alexander Berezhnoy did a great job refactoring the spiderMan plugin, and now he is working on the refactoring of the console user interface. The objective of his work is to add usability(more autocompletion and other goodies) and clean up the code. (0 comments)
Talks
w3af is going to be presented at:
If you are going to be there, let me know and we'll have a beer ;)
FAQ
A small FAQ can be read here.
Documentation
We are actively working on the documentation. Documentation of the project is created
using epydoc . We think that documentation is a really important part of every Open Source project and it will be taken really seriously.
Official documentation:
- The w3af user's guide can be found here.
- The epydoc documentation for w3af can be found here.
- The presentation materials used at the T2 conference can be found here.
External resources:
-
Josh Summit wrote a two part tutorial of w3af on his blog: 1 , 2 .
- Fuzion wrote a windows installation tutorial on his blog.
Prerequisites and Installation
The installation procedure and the project prerequisites can be found in the users guide, which is available here.
topMailing List
w3af has three mailing lists, one for users where end users can ask questions about the framework usage and its features; a developers mailing list were new features and advanced topics are discussed; and a third one which is used to notify developers about svn commits and tasks that have been created.
The mailing lists are open for any questions regarding w3af, but please read the documentation, the user guide and the mailing list archives before asking.
License
w3af is an Open Source software package. It is licensed under the GNU General
Public License Version 2.
Download
svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af
Or you can download a release package:
w3af beta6 [xis]
Released: Sat, 12 Apr 2008 13:06:16 GMT - Downloadw3af beta5 [yen]
Released: Thu, 18 Oct 2007 23:32:40 GMT - Downloadw3af beta4 [prel]
Released: Sun, 10 Jun 2007 16:11:07 GMT - Download
Author
The project leader is Andres Riancho, a student at UBA and an information security geek that lives in Argentina. He has contributed to other Open Source projects and sporadically writes for SecureArg an information security site co-founded by him.
For any issues with the framework, please subscribe to the mailing list and make your questions there, for personal questions you can contact me at: andres -dot- riancho [at] gmail +dot+ com . This request is not in vain, if all w3af users send their problems to me and I answer them directly, no community is created and no synergy is achieved. top