w3af – Web Application Attack and Audit Framework

w3af is a not a standard web application scanner but it is an advanced framework that may allow penetration tester to make automated web application scanning and manual security testing with a constantly updated plugins. The scanner is able to identify 200+ vulnerabilities, including Cross-Site Scripting, SQL injection and OS commanding.

w3af - Web Application Attack and Audit Framework
w3af – Web Application Attack and Audit Framework

Plugins are very important to w3af, they extend the framework in various ways such as finding new vulnerabilities, identifying new URLs and writing these to different file types. The plugins are coordinated by the core strategy and consume the core features.

There are the following categories of plugins:

  • Attack plugins – These are designed to exploit any discovered vulnerabilities.
  • Bruteforce plugins automatically crawl logins and bruteforce them using the knowledge about the remote web application (users , password profiling, etc).
  • Auth plugins – this allow user to scan authorization protected web applications. They make login action in the beginning of the scan, logout – in the end and check current session action regularly.
  • Crawl plugins – use different techniques to identify new URLs, forms, and any other resource that might be of use during the audit and bruteforce phases.
  • Evasion plugins modify requests in order to bypass IPS detection.
  • Grep plugins analyze every request and response in order to find errors, cookies, emails, comments and much more information about the target web application.
  • Infrastructure plugins use different techniques to identify the remote operating system, HTTP daemon, Web Application Firewalls, remote users and any other information that is related to the target web application but is not in its source code.
  • Mangle plugins modify requests on the fly.
  • Output plugins allow the user to configure how the framework is going to show its results and reports.

You can read more and download this framework over here: https://w3af.org/

Notify of
Inline Feedbacks
View all comments