As a framework w3af provides developers that want to extend it via plugins the following features:


Our framework implements web and proxy servers which are easy to integrate into your code in order to identify and exploit vulnerabilities.

Fast HTTP Client

w3af has wrapped urllib2 in a thread-safe way and with lots of extensions (Keep-Alive, Gzip, Logging, etc.) which allow you to send specially crafted HTTP requests at lightning speeds. Other features offered by the HTTP client are:

  • Proxy support
  • HTTP Basic and Digest authentication
  • UserAgent faking
  • Add custom headers to requests
  • Cookie handling
  • HTTP response cache
  • DNS cache
  • File upload using multipart

Output Manager

Logging is one of the most important features of any framework and we’ve developed various types of logging methods for you to consume in the custom code. Output can be written to:

The XML file is ideal for you to integrate w3af into your company SDLC, since it provides all the information about the vulnerabilities that were detected during the scan Vulnerability name, Vulnerability description, HTTP requests and responses, etc. and validates against our XSD.

Fuzzing engine

w3af can inject your payloads into almost every part of the HTTP request:

  • Query string
  • POST-data
  • Headers
  • Cookie values
  • Multipart/form file content
  • URL filename
  • URL path

The fuzzing engine can be configured using the misc-settings menu, since not all of these injection points are enabled by default, make sure you check which ones you need before starting a scan.

Knowledge base

All vulnerabilities, information disclosures, and anything valuable identified by one plugin will be stored in a knowledge base which is accessible by all the other plugins. Writing a plugin that requires a XSS vulnerability to run? No problem, simply add the audit.xss plugin as a dependency and wait for it to store the vulnerabilities into the KB.


The framework tries very hard to parse and extract links and forms from any HTML that’s found during the crawling phase. Support for various encodings and broken HTML tags is built-in.