Thursday, August 9, 2012

11:24 PM


W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.

 w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives, please click over the Project Objectives item in the main menu. This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge project page .

Project news

  • w3af - And now, with a stable core - Wed, 25 May 2011 13:10:06 GMT
    • Since our latest w3af release in mid January, and our new windows installer release a couple of months ago, we've got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we're here!

      In this latest release, we bring you a couple of the most important improvements of our framework:
      * Stable code base, an improvement that will reduce your w3af crashes to a minimum. We've been working on fixing all of our long-standing bugs, wrote thousands of lines of doctests and various types of automation to make sure we can also keep improving without breaking other sections of the code.

      * Auto-Update, which will allow you to keep your w3af installation updated without any effort. Always get the latest and greatest from our contributors!

      * Web Application Payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you'll see in web application security! We created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server. Keep an eye on this blog for an entry completely dedicated to this subject!

      * PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting a vulnerability try: "payload php_sca", that will download the remote PHP code to your box and analyze it to find more vulnerabilities!

      And many others, such as:
      * Refactoring of HTTP cache and GTK user interface code to store HTTP requests only once on disk (5% performance improvement)
      * Performance improvement in sqlite database by using indexes (1% performance improvement)
      * Huge w3af code-base refactoring on how URLs are handled. Moved away from handling URLs as strings into a url_object model. This reduces the number of times a URL is parsed into its component pieces (protocol, domain, path, query string, etc.) and put back together into a string, which clarifies the code and makes it run faster.

      We have a stable release, w00t! Hmmmm.... have we finished? Should we go home? No! We still have work to do; there are still features and capabilities we'd like to add. For example,as you read this, we're working on integrating the multiprocessing module into w3af's code, with the objective of using more than one CPU core at the same time and substantially improve our scanning speed. We're also working on handling of encodings by the use of unicode strings across the whole framework, and making the user experience more intuitive by changing bits and pieces of the graphical user interface.

      As usual, you can get our latest installable packages from the download section of this site, just download and enjoy our latest improvements!

  • w3af 1.0-rc5: Better, Stronger, Faster - Tue, 18 Jan 2011 18:26:49 GMT
    • Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan. Here's what's new:

      * Now using bloom filters instead of sqlite3 databases, which are persistent on disk, effectively increasing scan performance by about 15%!
      * Fixed most of the bugs that cause w3afMustStopExceptions and wrote debugging code to allow us to identify the remaining ones.
      * Based on many community requests we've updated our XML output plugin and wrote an XSD file to help other tools parse the output from our scanner.
      * Added new plugin to measure the number of hops for port 80 vs 443 and perform a comparison. Which is useful to identify load balancers, reverse proxies and any other network appliances.

      On top of that, we've also worked on writing unit tests and a continuous integration system that we'll use for testing our code each night. When we complete this task, we'll be able to deliver high quality code on each release, with fewer bugs and no regressions.

  • 1.0-rc4 is ready for you to download! - Tue, 02 Nov 2010 16:21:59 GMT
    • This is one of those great moments in the life of a project, a moment that I've been dreaming about for a couple of years. We're releasing a new version of w3af, but that's not important. The major achievement is the story behind the release, the effort put in this release by all the contributors, Javier Andalia (our core developer) and Rapid7 (the company that allows all this to happen).

      For the first time in the project's life, we have a roadmap [0] , a prioritized backlog [1] and a structured development process we follow to deliver new features and fixing bugs.

      The efforts for this release have been major, some of them haven been really organized like our sprints that started one month ago [2][3] and some others can be tracked through the SVN logs, like Taras' great improvements of the GUI.

      Just to name a few things we've done for this release:
      * We've written new HOWTO documents for our users
      * Considerably improved the speed of all grep plugins
      * Replaced Beautiful Soup by the faster libxml2 library
      * Introduced the usage of XPATH queries that will allow us to improve performance and reduce false positives
      * Fixed hundreds of bugs

      On this release you'll also find that after exploiting a vulnerability you can leverage that access using our Web Application Payloads, a feature that we developed together with Lucas Apa from Bonsai Information Security. These payloads allow you to escalate privileges and will help you get from a low privileged vulnerability (e.g. local file read) to a remote code execution. In order to try them, exploit a vulnerability, get any type of shell and then run any of the following commands: help, lsp, payload tcp (the last one will show you the open connections in the remote box).

      We still have tons of things to do, but for the first time in the project's life we have a defined process that will make us achieve our objectives.
  • w3af On the Rise - Wed, 28 Jul 2010 15:32:39 GMT
    • I have been passionate about the Web application security field for years which is why I developed w3af. Some have even it called it the “Metasploit” of Web application security. Over the last year or so, I have been thinking how I can personally help to raise the bar for Web application security even further and turn w3af into one of the leading open source security projects.

      I am therefore very excited that today I am announcing that Rapid7 is sponsoring the w3af project and that I will be joining Rapid7 as Director of Web security to spearhead Rapid7’s worldwide Center of Excellence (COE) for Web security. The first immediate result of the sponsorship is that I have already hired a first employee at the COE and will be looking to staff several other engineering positions here in Argentina.

      To be clear, Rapid7 is not acquiring w3af. I will keep the keep the project open source, with no plans to change the license or the community development model. What will be changing is how fast we integrate new features, and release new versions with Rapid7’s support. I will still be involved in w3af's development process with the classical role of project leader (or Benevolent Dictator For Life or BDFL as some like to call it), but with more time to design the heuristics and algorithms required to maintain the framework as a world class Web application security solution. By creating a COE and sponsoring w3af, Rapid7 will benefit from the extensive security research experience of w3af and use this to enhance its existing NeXpose product line.

      I am so excited about the sponsorship and me joining Rapid7 for a number of reasons.

      First, Rapid7 has proven that they understand the community and how the cross pollination between open source and commercial solutions can lead to exceptional results. Proof in point is the way Rapid7 has handled the Metasploit Project. It has created commercial versions on top of the open source framework while at the same time accelerating the value of the project. Since getting involved with Metasploit in October 2010, Rapid7 has funded a full-time development team for Metasploit and has released five versions of the open source framework.

      Second, Rapid7 has amazing products and technology.Rapid7 has been developing an amazing vulnerability management product in the market for 10 years and has now gained a leadership position in penetration testing with the support of Metasploit as well. What stood out particularly for me is what investment Rapid7 has already made in Web application security. NeXpose is the only vulnerability management solution that has scanning capabilities that address Web 2.0 and AJAX technologies. With this functionality as a baseline, I truly believe that the cross-pollination of w3af and Rapid7 NeXpose will lead to best in class Web application security technology in the near future.

      Lastly, w3af will only get better. It will remain free. Like with the Metasploit Framework, w3af will still be open source, which is the reason why it has been so successful. w3af's license and copyrights remain the same. What will change is that you will see a lot more support behind the project. As a matter of fact I am hiring right now so if you are a developer with Python skills and are good at Web application security, please contact me at

  • Release candidate three is out! - Wed, 31 Mar 2010 02:55:20 GMT
    • The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:

      * Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
      * Increased speed by rewriting parts of the thread management code
      * Fixed tons of bugs
      * Reduced memory usage
      * Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
      * Reduced false positives

Click : Download


Post a Comment