W3af is a GUI based framework that helps in auditing and identifying vulnerabilities in web applications. The tool is loaded with a number of useful plugins that can scan a website for more than 200 types of vulnerabilities. The currently available plugins include audit, auth, bruteforce, crawl, evasion, grep, infrastructure and mangle. Each plugin has a different set of scan goals. For example, the audit plugin gives the option to scan a website for a number of vulnerabilities, such as sql injections, buffer overflow vulnerabilities, shell shock vulnerabilities, cross-site scripting, page extension vulnerabilities, phishing vectors, and os commanding. Similarly, the crawl plugin scans the target web application for backdoor exploits, issues in directories, and subdirectories vulnerabilities.
How to Install W3af
W3af can be installed from the github repository using the following command.
git clone https://github.com/andresriancho/w3af.git
The dependencies can be installed using the following commands.
cd w3af ./w3af_console . /tmp/w3af_dependency_install.sh
How W3af Works
W3af GUI can be launched using the following command.
w3af_gui
The command opens the W3af user interface window as shown in the following screenshot. The GUI window contains a list of profiles and scanning options in the form of plugins. One can set a custom profile to configure the scan options or we can select one of the pre-configured profiles to scan the target web application.
Let’s suppose we want to scan a website for possible backdoors. To accomplish this task, we need to select the backdoor related plugin from the list and start the scan process. The tool tests the target website with a number of backdoor urls. If the backdoor does not exist, the website returns a 404 (not found) code, as shown in the following screenshot.The details can be analyzed in the ‘results’ tab of GUI.
Positive Aspects
W3af has a wide range of plugins that can perform audit and scan web applications for 200+ vulnerabilities. Definitions are provided for each parameter used in the plugin for understanding the functionality of the parameters used in the plugins. The GUI interface provides a more user-friendly way of analyzing the scan results.
What Bunny rating does it get?
W3af has a wide range of plugins that can perform audit and scan web applications for 200+ vulnerabilities. Definitions are provided for each parameter used in the plugin for understanding the functionality of the parameters used in the plugins. The GUI interface provides a more user-friendly way of analyzing the scan results. 4 out of 5 bunnies.
Want to learn more about ethical hacking?
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.