FAQ

What is w3af ?

w3af is a Web Application Attack and Audit Framework.

How is the framework extended ?

The framework is extended using plugins. For now, think about nessus plugins.

What kind of plugins are available ?

w3af has discovery, audit, evasion, grep and output plugins.

Discovery plugins are used to discover new valid URL's on the site, examples of discovery plugins are googlespider_plugin, spider_plugin.py and urlfuzzer_plugin.

Evasion plugins are used to try to evade IDS's.

Audit plugins are used to audit the security of a web application, examples of audit plugins are : xss_plugin, sqli_plugin and blindsqli_plugin.

Grep plugins are used to analyze every response that the server returns (no mather what plugin initiated the request) for interesting things. Examples of grep plugins are findcomments_plugin and pathdisclosure_plugin.

Output plugins are used to write the output of other plugins and the framework itself into a convenient format, examples of output plugins are : console_plugin, txtfile_plugin, html_plugin.

I have found a bug, where can i submit it ?

Thanks for testing! You can submit bugs here .

Who is behind this project ?

Mainly, me ( Andres Riancho ), some friends and contributors. See the CONTRIBUTORS file on the project releases for a complete list of all the people that helped.

This project is also possible because of our sponsors .

Why are you doing this ?

Many reasons:
- I want to give back something to the Open Source community
- I'm lazy and this software will automate my work in pentests
- I wanted to have a GPL project of my own to learn about GPL
- I want to learn Python

What is the main goal of this project ?

This project aims to provide a framework for auditing and attacking web applications.

How will w3af be developed ?

On the first releases w3af will aim to be a solid framework for web auditing. Whenever the community feels that the framework is stable and can detect most web site implementation bugs we will start developing the attack features.

What attack features ?

w3af is a framework and can be fully extended, but the first attack features that will be developed are for exploiting [Blind] SQL injection, [local|remote] file inclusion and XSS using XSS-proxy.

I want to write a plugin, how should I start ?

w3af is really well documented and the source code is simple to read for almost anyone (with or without python experience). You should start by reading the base_audit_plugin or base_output_plugin documentation and code. After that, you can read xss_plugin.py, its a really simple plugin. Finally you should start writing, questions are welcome on the developers list.

What services does the w3af framework provides to the plugin writer ?

w3af provides many services to plugin writers:
- Proxy support for outgoing connections
- Proxy auth support for outgoing connections
- Basic HTTP auth
- Cookie management
- HTML parser
- URL parser
- Special headers can be used
- Output plugins write all the results to a convenient format.
- You wont handle the GUI, w3af deals with it.
- fuzzers

How is w3af licensed ?

w3af is licensed under GPL version 2.

Why in python ? I really like Java/Perl/Ruby !

IMHO, Java is slow and perl is ancient. Ruby was an option, but I already coded some small scripts in python and liked it.

Why not in C++ ?

I want this project to be cross platform without having to deal with the different platform restrictions, libraries, etc.

Then, why not in ANSI C ?

I wont answer this one.