“[w3af] is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
Use w3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations.”
This tool is described on the official website as having “three main sections”:
- The core, which coordinated the whole process and provides libraries for using in plugins.
- The user interfaces, which allow the user to configure and start scans
- The plugins, which find links and vulnerabilities
In order to install w3af without error, you will need the most recent versions of Git client, Python, and Pip. After that, the installation itself is easy.
For Linux users:
- apt-get update
- apt-get install -y w3af – (continue below if latest version is not installed)
- cd ~
- apt-get update
- apt-get install -y python-pip w3af
- pip install –upgrade pip
- git clone https://github.com/andresriancho/w3af.git
- cd w3af
- . /tmp/w3af_dependency_install.sh
After installation, open up w3af. It’s time to get familiar with our nifty little tool.
- Under profiles, select “full_audit” (or whatever you prefer)
- Select “Yes”
- Insert your targeted address next to “Target:”
- Select “Scan” (and select any specific plugins)
- After the scan is complete, you will see a log of vulnerabilities
- Navigate to “Results” and then “KB browser” for more details
If you navigate to URLs, php based url will also appear. Likewise, the Exploit tab will explain the targeted site’s vulnerability type. In conclusion, it’s no doubt that w3af is an ideal tool for people running their own websites. This tool is also useful for pen-testing (and general curiosity when browsing shady websites).