This is w3af’s FAQ, we tried to make it short and sweet, if we’re missing something let us know!

General

• What is w3af?

  w3af is a Web Application Attack and Audit Framework. In other words, a software that will identify vulnerabilities in web applications by sending specially crafted HTTP requests to it.

• Who is behind this project?

  Mainly me, Andres Riancho, but others individuals and sponsors have helped a lot since the beginning.

• Why are you doing this?

  Many reasons:

  • I want to give back something to the Open Source community
  • To automate the process of web application testing, which is something I perform on a regular basis
  • To learn about the dynamics around an Open Source project
  • To learn Python
• What is the main goal of this project?

  The full answer can be found here, but if you need to know now: “To be the best Web Application Security Scanner”.

• What's w3af's license?

  w3af is released under GPLv2.0

• What's a plugin?

  A w3af plugin is a piece of Python code that extends the framework functionality by providing new ways to extract URLs or finding vulnerabilities

• Are there any videos I can watch?

  Sure, we’ve selected the best w3af presentation videos for you to watch here.

Contribute

• I want to write a plugin, where do I start?
  1. First of all, let us know what you’re doing: Get in touch with us
  2. Verify that the plugin you’re thinking about isn’t implemented already. Here’s the plugin list.
  3. Learn Python
  4. Create a fork of our Github project
  5. Copy+Paste an existing plugin that does something similar to what you’re trying to do
  6. Modify the old plugin until it does what you want
  7. Test it
  8. Submit a pull request
• Where do I submit bugs?

  Bugs should be submitted to our GitHub project.

• As a framework, which tools does w3af provide to plugin writers?

  The complete answer to this question is here.

Exploitation

• Can I use w3af to exploit vulnerabilities?

  Yes, it’s one of w3af’s main features.

• What's a web application payload?

  Once you successfully exploit a vulnerability using w3af, the framework provides payloads that will use the system calls exposed by the application vulnerability to extract information, elevate privileges and execute operating system commands. You can think about them as payloads (in terms of Metasploit framework) but for the Web. This video will explain it better: