W3af – Web Application Attack and Audit Framework

W3af is a GUI based framework that helps in auditing and identifying vulnerabilities in web applications. The tool is loaded with a number of useful plugins that can scan a website for more than 200 types of vulnerabilities. The currently available plugins include audit, auth, bruteforce, crawl, evasion, grep, infrastructure and mangle. Each plugin has a different set of scan goals. For example, the audit plugin gives the option to scan a website for a number of vulnerabilities, such as sql injections, buffer overflow vulnerabilities, shell shock vulnerabilities, cross-site scripting, page extension vulnerabilities, phishing vectors, and os commanding. Similarly, the crawl plugin scans the target web application for backdoor exploits, issues in directories, and subdirectories vulnerabilities.

How to Install W3af

W3af can be installed from the github repository using the following command.

git clone https://github.com/andresriancho/w3af.git

The dependencies can be installed using the following commands.

cd w3af
./w3af_console
. /tmp/w3af_dependency_install.sh

How W3af Works

W3af GUI can be launched using the following command.

w3af_gui

The command opens the W3af user interface window as shown in the following screenshot.  The GUI window contains a list of profiles and scanning options in the form of plugins. One can set a custom profile to configure the scan options or we can select one of the pre-configured profiles to scan the target web application.

Let’s suppose we want to scan a website for possible backdoors. To accomplish this task, we need to select the backdoor related plugin from the list and start the scan process. The tool tests the target website with a number of backdoor urls. If the backdoor does not exist, the website returns a 404 (not found) code, as shown in the following screenshot.The details can be analyzed in the ‘results’ tab of GUI.

Positive Aspects

W3af has a wide range of plugins that can perform audit and scan web applications for 200+ vulnerabilities. Definitions are provided for each parameter used in the plugin for understanding the functionality of the parameters used in the plugins. The GUI interface provides a more user-friendly way of analyzing the scan results.

What Bunny rating does it get?

W3af has a wide range of plugins that can perform audit and scan web applications for 200+ vulnerabilities. Definitions are provided for each parameter used in the plugin for understanding the functionality of the parameters used in the plugins. The GUI interface provides a more user-friendly way of analyzing the scan results. 4 out of 5 bunnies.

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Do you know of another GitHub related hacking tool?

Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients