This is w3af’s FAQ, we tried to make it short and sweet, if we’re missing something let us know!


  • What is w3af?

    w3af is a Web Application Attack and Audit Framework. In other words, a software that will identify vulnerabilities in web applications by sending specially crafted HTTP requests to it.

  • Who is behind this project?

    Mainly me, Andres Riancho, but others individuals and sponsors have helped a lot since the beginning.

  • Why are you doing this?

    Many reasons:

    • I want to give back something to the Open Source community
    • To automate the process of web application testing, which is something I perform on a regular basis
    • To learn about the dynamics around an Open Source project
    • To learn Python
  • What is the main goal of this project?

    The full answer can be found here, but if you need to know now: “To be the best Web Application Security Scanner”.

  • What's w3af's license?

    w3af is released under GPLv2.0

  • What's a plugin?

    A w3af plugin is a piece of Python code that extends the framework functionality by providing new ways to extract URLs or finding vulnerabilities

  • Are there any videos I can watch?

    Sure, we’ve selected the best w3af presentation videos for you to watch here.



  • Can I use w3af to exploit vulnerabilities?

    Yes, it’s one of w3af’s main features.

  • What's a web application payload?

    Once you successfully exploit a vulnerability using w3af, the framework provides payloads that will use the system calls exposed by the application vulnerability to extract information, elevate privileges and execute operating system commands. You can think about them as payloads (in terms of Metasploit framework) but for the Web. This video will explain it better: