This plugin is a local proxy that can be used to give the framework knowledge about the web application when it has a lot of client side code like Flash or Java applets. Whenever a w3af needs to test an application with flash or javascript, the user should enable this plugin and use a web browser to navigate the site using spider_man proxy. The proxy will extract information from the user navigation and generate the necesary injection points for the audit plugins. Another feature of this plugin is to save the cookies that are sent by the web application, in order to be able to use them in other plugins. So if you have a web application that has a login with cookie session management you should enable this plugin, do the login through the browser and then let the other plugins spider the rest of the application for you. Important note: If you enable web_spider, you should ignore the “logout” link. Two configurable parameters exist:

  • listen_address
  • listen_port

Plugin type



Name Type Default Value Description Help
listen_address string IP address that the spider_man proxy will use to receive requests No detailed help available
listen_port integer 44444 Port that the spider_man HTTP proxy server will use to receive requests No detailed help available


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.