How to Secure Web Applications with w3af

Out of all security scanners, w3af easily offers the best user-friendly interface with maximum amount of powerful execution. w3af’s official website explains their tool as:

“[w3af] is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Use w3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations.”

This tool is described on the official website as having “three main sections”:

  1. The core, which coordinated the whole process and provides libraries for using in plugins.
  2. The user interfaces, which allow the user to configure and start scans
  3. The plugins, which find links and vulnerabilities

In order to install w3af without error, you will need the most recent versions of Git client, Python, and Pip. After that, the installation itself is easy.

For Linux users:
  • apt-get update
  • apt-get install -y w3af – (continue below if latest version is not installed)
  • cd ~
  • apt-get update
  • apt-get install -y python-pip w3af
  • pip install –upgrade pip
  • git clone https://github.com/andresriancho/w3af.git
  • cd w3af
  • ./w3af_console
  • . /tmp/w3af_dependency_install.sh

After installation, open up w3af. It’s time to get familiar with our nifty little tool.

  • Under profiles, select “full_audit” (or whatever you prefer)
  • Select “Yes”
  • Insert your targeted address next to “Target:”
  • Select “Scan” (and select any specific plugins)
  • After the scan is complete, you will see a log of vulnerabilities
  • Navigate to “Results” and then “KB browser” for more details

If you navigate to URLs, php based url will also appear. Likewise, the Exploit tab will explain the targeted site’s vulnerability type. In conclusion, it’s no doubt that w3af is an ideal tool for people running their own websites. This tool is also useful for pen-testing (and general curiosity when browsing shady websites).

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience