w3af, the Web Application Attack and Audit Framework

w3af, the Web Application Attack and Audit FrameworkAndres Riancho has released w3af 1.0  – the Web Application Attack and Audit Framework


This framework is written in python and resembles  to metasploit  having an architecture  based on plugins:

  • Discovery plugins have only one responsability, finding new URL’s, forms, and other "injection points".
  • Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities.
  • Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, o a dump of remote databases in case of SQL injections.
  • Evasion plugins are used to try to evade IDS’s.
  • Grep plugins are used to analyze every response that the server returns (no mather what plugin initiated the request) for interesting things.
  • Output plugins are used to write the output of other plugins and the framework itself into a convenient format

In order to use this tool efficiently, you can read the w3af Users Guide(PDF). I will post more on this framework, so stay tuned.



Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback. Print This Post Print This Post


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge