w3af logo

Table of Contents
About w3af Project objectives News Trainings and talks
FAQ Features Plugins Documentation License Download Author Sponsors
Mailing List #w3af IRC Channel Community
Open Source Python powered Bonsai - Information Security
Bonsai Information Security


    w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives, please click over the Project Objectives item in the main menu. This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge project page .

    If you are here just to "take a look" please watch the w3af video demos!

video demos

Project news

xml feed


  • w3af in the official Debian repositories - Fri, 22 May 2009 13:43:41 GMT
      • Thanks to the help of Luciano Bello, w3af made it to the official Debian repositories. For now, the package is only on the unstable branch, but for the dare-devils that use it, you can now install w3af by issuing "apt-get install w3af".

      This is also good news for all the Debian based distributions (like Ubuntu), because w3af will be available for them as a package too. (0 comments)

  • Releasing 1.0-rc2 , 1.0 is getting closer... - Fri, 03 Apr 2009 22:27:06 GMT
      • The w3af team is proud to announce the 1.0-rc2 release, which basically fixes some bugs in the 1.0-rc1 release and gets us closer to the stable 1.0 release.

      We also would like to ask all the users to report their bugs, and perform intensive testing on the framework. Your work feedback is invaluable for us. (0 comments)

  • 1.0-rc1 is out! - Sat, 28 Feb 2009 05:04:02 GMT
      • After a lot of work of the w3af team, we are proud to announce the first release candidate for the 1.0 version!

      This release fixes A LOT of bugs, reduces memory usage, and increased the performance of the HTTP request library.

      Our goal is to have a stable release in two weeks, which will allow us to keep building and adding new features on top of it, a new era is coming... Web Application Payloads are just around the corner... (0 comments)

  • w3af beta7 is available! - Mon, 22 Sep 2008 18:58:17 GMT
      • We are glad to announce that the latest version of w3af is available to the public! As usual, I want to thank all the contributors for their great work, and Ulises Cune for the Windows installer.

      Have fun, and don't hack too many web apps ;) (1 comments)

  • Windows installer - Mon, 02 Jun 2008 13:41:14 GMT
      • I'm glad to announce that Ulises Cune has finished the first version of the windows installer! He has done a great work with it, and now it is available for download at http://w3af.sourceforge.net/#download . We have tested it in windows XP, windows 2000 and windows Vista and it seems to work as expected on all of them. This is a big step in our project, we expect to get a lot of new users with this installer! (0 comments)

top

Trainings and talks

A Web Application Security Training is going to be delivered by Andrés Riancho in Buenos Aires! This course is designed for developers, hackers, QA experts and even CSO's. Don't miss this opportunity to train yourself with one of the best professionals in the field.

Curso de seguridad en aplicaciones Web
top

Documentation

We are actively working on the documentation. Documentation of the project is created using epydoc . We think that documentation is a really important part of every Open Source project and it will be taken really seriously.

Official documentation:

  • The w3af user's guide can be found here .
  • A French translation of the users guide made by Jerome Athias can be found here .
  • The epydoc documentation for w3af can be found here .
  • The presentation materials used at the T2 conference can be found here .

External resources:
  • Josh Summit wrote a two part tutorial of w3af on his blog: 1 , 2 .
  • Fuzion wrote a windows installation tutorial on his blog .

top

Prerequisites and Installation

The installation procedure and the project prerequisites can be found in the users guide, which is available here.

top

Mailing List and IRC channel

w3af has three mailing lists, one for users where end users can ask questions about the framework usage and its features; a developers mailing list were new features and advanced topics are discussed; and a third one which is used to notify developers about svn commits and tasks that have been created.

The mailing lists are open for any questions regarding w3af, but please read the documentation, the user guide and the mailing list archives before asking. For more information about the mailing lists, you can visit this the sourceforge page:

    Mailing list information

The w3af project also has an official IRC channel, where users and developers join to exchange ideas:

    #w3af channel at the Freenode IRC network

top

License

w3af is an Open Source software package. It is licensed under the GNU General Public License Version 2.

top

Download

xml feed
There are four different ways of getting your hands w3af:

- You can get the latest (and more unstable) version from the development SVN using this command:

      svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af

- You can download the Samurai Live CD, which has w3af preinstalled with all the dependencies.

- On debian (only the unstable branch for now) you can run "apt-get install w3af"

- Or you can download one of the release packages, which include files for Windows and Linux:

  • w3af 1.0-rc2 [shorty]

    •     Released: Fri, 03 Apr 2009 22:37:20 GMT - Download

  • w3af 1.0-rc1 [bonsai]

    •     Released: Fri, 27 Feb 2009 20:48:41 GMT - Download

  • w3af beta7 [omi]

    •     Released: Mon, 22 Sep 2008 14:25:15 GMT - Download
top

Author

Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

For any issues with the framework, please subscribe to the mailing list and make your questions there, for personal questions you can contact me at: andres -dot- riancho [at] gmail +dot+ com . This request is not in vain, if all w3af users send their emails directly to me and I answer them privately, no community is created and no synergy is achieved.

top