Web Application Security Scanner: w3af

Type n0where
Reporter N0where
Modified 2010-06-25T20:53:00


_ w3af is a Web Application Attack and Audit Framework _

The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.


Identify and exploit a SQL injection

One of the most difficult parts of securing your application is to identify the vulnerable parameters and define the real risk. This video shows how to easily identify and exploit SQL injection vulnerabilities. As bonus the video shows how to extract information using web application payloads.

Batteries included

Want to know more about the low-level features provided by our framework? Go through our features page in order to understand what’s under the hood.

Plugin architecture

Vulnerabilities are identified using plugins , which are short and sweet pieces of Python code that send specially crafted HTTP requests to forms and query string parameters to identify errors and mis-configurations.


Easy to use for novice users, fully customizable for hackers and developers. We’ve built it that way.

Expert tools

Besides the automated scanning features w3af’s GUI provides expert tools which allow the advanced users to manually craft and send custom HTTP requests, generate requests in an automated manner, cluster HTTP responses and more!

w3af is a simple tool to use once you understand the basic concepts behind it, our FAQ and the framework’s feature list will introduce you to the overall idea, but this document will dive into w3af and explain all you need to know before running a scan.

Web Application Scanning

Black-box web application scanning, if we abstract from the details, is a simple process:

  1. Identify all links, forms, query string parameters.
  2. Send specially crafted strings to each input and analyze the output
  3. Generate a report with the findings

Due to various reasons that won’t be discussed in this document, this process is actually very complex and false positive/negative prone if done without the right tools.

w3af’s architecture

The w3af framework is divided into three main sections:

  1. The core, which coordinates the whole process and provides libraries for using in plugins.
  2. The user interfaces, which allow the user to configure and start scans
  3. The plugins, which find links and vulnerabilities

w3af’s phases

w3af follows the steps you would perfom in a web application penetration test, see “Web Application Scanning” above. In order to do so it defines different types of plugins which are going to be called by the core in a specific order.

Starting with a target URL provided by the user, w3af will first try to identify all URLs, forms and query string parameters in the application by the means of crawl plugins . A very good example of this type of plugin is the web_spider which will extract URLs from a page, follow those links and once again extract URLs from it. Following that process it will create a complete application link and form map.

Once the application has been mapped, audit plugins will send specially crafted strings to each parameter in order to trigger bugs in the application’s code. When a bug is found it will be reported to the user. The most used audit plugin is sqli which will find error-based SQL injections.

Identified vulnerabilities, debug and error messages, all are reported to the user with output plugins . These plugins will write the messages in different formats to suit your needs. In most cases a text file is what users need, but for integration into other tools XML file format is also available.

Web Application Security Scanner w3af


The framework can be configured using two very different settings: plugin configuration and global configuration.

Plugin configuration

Plugins might have configuration parameters, in all cases where the plugin has a setting a default value has been set. We recommend you read the setting help and in some cases the plugin source code in order to understand exactly what will happen if you change the configuration.

Global configuration

The framework-wide configuration settings change the core’s behavior and are split in two: http-settings and misc-settings. As with the plugin configuration, all settings in the global configuration have a default value and should be changed with care. Changing a setting here might reduce the scanner’s performance, have the framework generate thousands of unnecessary HTTP requests, etc.

Saving your settings

All user defined settings can be saved using profiles, this helps users run their scans multiple times and in some cases run them with slightly different configurations. Creating, saving and loading profiles is an easy task that’s done from within the user interface.

Web Application Security Scanner main

HowTo ?

Before diving into our HOWTO documents we recommend you go through understanding the basics document which will help you understand some concepts used in the next sections.

Web Application Security Scanner w3af documentation

Third-party HOWTOs and documents

Although we would like to have all HOWTO documents in our site, others have written excelent documents about w3af at third-party sites and we think you might find them interesting as well.


If you’re a Linux, BSD or Mac user we recommend you download the source from our GitHub repository:

    git clone https://github.com/andresriancho/w3af.git
    cd w3af

After running this command you’ll get a list of unmet dependencies and the commands to be run in order to install them. Best case scenario, you’ll have w3af up and running in just a few minutes and only by running the commands returned by w3af_gui .

The framework has two different sets of dependencies, one for the GUI and one for the Console, in case you don’t want to use the GUI, just run w3af_console and install those dependencies.

windows While old versions of w3af worked on Windows the latest version of w3af hasn’t been tested on this platform.

Mainly because of the project’s goals and objectives, Team is not planning to update the Windows installer unless we get funding for it through the “A Windows installer for w3af” crowdfunding project.

Source && Download

Web Application Security Scanner w3af download