W3af 1.0 RC1

Web Application Attack and Audit Framework
  15 Screenshots
W3af is a web application attack and audit framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. The w3af core and it's plugins are fully written in python.

The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much.

Main features:

  • urllib2 wrapper:
  • In order to send requests to te remote server w3af uses urllib2. The xUrllib module of w3af is a wrapper of urllib2 to make the plugin writer life easier, using this wrapper a plugin writer can forget about proxy's, proxy auth, basic/digest auth, etc. This is the complete list of features provided by xUrllib...
  • Proxy
  • Proxy auth ( basic and digest )
  • Site auth ( basic and digest )
  • Gracefully handle timeouts
  • UserAgent faking
  • Add custom headers to requests
  • Cookie handling
  • Local cache for GET and HEAD requests
  • Local dns cache, this will speed up scannings. Only one request is made to the DNS server
  • Keep-alive support fot http and https connections
  • File upload using multipart POST requests
  • SSL certificate support
  • Output Management:
  • w3af provides plugin writers with an abstraction layer for data output using the Output Manager. The output manager can also be extended using plugins and can be used for writing results to a txt/html file or sending them over the network using scp, the options are endless. Available ouput plugins are...
  • Console
  • Text file
  • Web Service support:
  • w3af knows how to parse WSDL files, and audit webservices. Plugin developers can write a simple plugin that will be able to find bugs in web services and also in common HTTP applications.
  • HTTP headers fuzzing:
  • w3af supports finding bugs in HTTP headers with great ease!
  • IPC:
  • IPC ( inter plugin communication :P) can easily be done using the knowledge base, another w3af feature thats really usefull for plugin developers.
  • Session saving:
  • Framework parameters can be saved to a file using the sessionManager. After that, you can load the settings and start the same scan again without configuring all parameters.
  • Fuzzer:
  • Right now w3af has a really simple fuzzer, but we have plans to extend it. Fuzzers are great, we know it.
  • HTML / WML parsing:
  • w3af provides HTML / WML parsing features that are really easy to use.

last updated on:
April 4th, 2009, 8:04 GMT
license type:
GPL (GNU General Public License) 
developed by:
Andres Riancho
ROOT \ Security
Download Button

In a hurry? Add it to your Download Basket!

user rating 3



Rate it!
15 Screenshots
What's New in This Release:
  • A LOT of bug fixes
  • Replaced pywordnet with nltk
  • Removed getOptionsXML and added a more pythonic getOptions
  • mySQLWebShell was replaced by a more generic sql_webshell
read full changelog

Add your review!