This plugin finds remote file inclusion vulnerabilities. Three configurable parameters exist:

  • listen_address
  • listen_port
  • use_w3af_site

There are two ways of running this plugin, the most common one is to use w3af’s site ( as the URL to include. This is convenient and requires zero configuration but leaks information about vulnerable sites to staff. The second way to configure this plugin runs a webserver on the box running w3af on the IP address and port specified by “listen_address” and “listen_port”. This method requires the target web application to be able to contact the newly created server and will not work unless you also configure your NAT router and firewalls (if any exist).

Plugin type



Name Type Default Value Description Help
listen_address string IP address that the webserver will use to receive requests w3af runs a webserver to serve the files to the target web application when doing remote file inclusions. This setting configures where the webserver is going to listen for requests.
listen_port port 44449 TCP port that the webserver will use to receive requests No detailed help available
use_w3af_site boolean True Use w3af site to test for remote file inclusion The plugin can use the w3af site to test for remote file inclusions, which is convenient when you are performing a test behind a NAT firewall.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.