w3af logo

Table of Contents
About w3af Project objectives News Trainings and talks
FAQ Features Plugins Documentation License Download Author Sponsors
Mailing List #w3af IRC Channel Community
Open Source Rapid7 Open Source Python powered Bonsai - Information Security
Bonsai Information Security


    w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives, please click over the Project Objectives item in the main menu. This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge project page .

    If you are here just to "take a look" please watch the w3af video demos!

video demos

Project news

xml feed


  • w3af On the Rise - Wed, 28 Jul 2010 15:32:39 GMT
    • I have been passionate about the Web application security field for years which is why I developed w3af. Some have even it called it the “Metasploit” of Web application security. Over the last year or so, I have been thinking how I can personally help to raise the bar for Web application security even further and turn w3af into one of the leading open source security projects.

      I am therefore very excited that today I am announcing that Rapid7 is sponsoring the w3af project and that I will be joining Rapid7 as Director of Web security to spearhead Rapid7’s worldwide Center of Excellence (COE) for Web security. The first immediate result of the sponsorship is that I have already hired a first employee at the COE and will be looking to staff several other engineering positions here in Argentina.

      To be clear, Rapid7 is not acquiring w3af. I will keep the keep the project open source, with no plans to change the license or the community development model. What will be changing is how fast we integrate new features, and release new versions with Rapid7’s support. I will still be involved in w3af's development process with the classical role of project leader (or Benevolent Dictator For Life or BDFL as some like to call it), but with more time to design the heuristics and algorithms required to maintain the framework as a world class Web application security solution. By creating a COE and sponsoring w3af, Rapid7 will benefit from the extensive security research experience of w3af and use this to enhance its existing NeXpose product line.

      I am so excited about the sponsorship and me joining Rapid7 for a number of reasons.

      First, Rapid7 has proven that they understand the community and how the cross pollination between open source and commercial solutions can lead to exceptional results. Proof in point is the way Rapid7 has handled the Metasploit Project. It has created commercial versions on top of the open source framework while at the same time accelerating the value of the project. Since getting involved with Metasploit in October 2010, Rapid7 has funded a full-time development team for Metasploit and has released five versions of the open source framework.

      Second, Rapid7 has amazing products and technology.Rapid7 has been developing an amazing vulnerability management product in the market for 10 years and has now gained a leadership position in penetration testing with the support of Metasploit as well. What stood out particularly for me is what investment Rapid7 has already made in Web application security. NeXpose is the only vulnerability management solution that has scanning capabilities that address Web 2.0 and AJAX technologies. With this functionality as a baseline, I truly believe that the cross-pollination of w3af and Rapid7 NeXpose will lead to best in class Web application security technology in the near future.

      Lastly, w3af will only get better. It will remain free. Like with the Metasploit Framework, w3af will still be open source, which is the reason why it has been so successful. w3af's license and copyrights remain the same. What will change is that you will see a lot more support behind the project. As a matter of fact I am hiring right now so if you are a developer with Python skills and are good at Web application security, please contact me at andres_riancho@rapid7.com.

  • Release candidate three is out! - Wed, 31 Mar 2010 02:55:20 GMT
    • The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:

      * Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
      * Increased speed by rewriting parts of the thread management code
      * Fixed tons of bugs
      * Reduced memory usage
      * Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
      * Reduced false positives

  • FreeBSD port! - Wed, 17 Mar 2010 02:06:48 GMT
    • Sofian Brabez, our FreeBSD expert, has updated the FreeBSD port of w3af to the 1.0-rc2 version and commited it to FreeBSD ports sources tree. If you're using FreeBSD, now you have one more reason to use w3af and make your life easier when hacking web applications.

  • w3af in the official Debian repositories - Fri, 22 May 2009 13:43:41 GMT
    • Thanks to the help of Luciano Bello, w3af made it to the official Debian repositories. For now, the package is only on the unstable branch, but for the dare-devils that use it, you can now install w3af by issuing "apt-get install w3af".

      This is also good news for all the Debian based distributions (like Ubuntu), because w3af will be available for them as a package too.

  • Releasing 1.0-rc2 , 1.0 is getting closer... - Fri, 03 Apr 2009 22:27:06 GMT
    • The w3af team is proud to announce the 1.0-rc2 release, which basically fixes some bugs in the 1.0-rc1 release and gets us closer to the stable 1.0 release.

      We also would like to ask all the users to report their bugs, and perform intensive testing on the framework. Your work feedback is invaluable for us.

top

Trainings and talks

A Web Application Security Training is going to be delivered by Andrés Riancho in Buenos Aires! This course is designed for developers, hackers, QA experts and even CSO's. Don't miss this opportunity to train yourself with one of the best professionals in the field.

Curso de seguridad en aplicaciones Web
top

Documentation

We are actively working on the documentation. Documentation of the project is created using epydoc . We think that documentation is a really important part of every Open Source project and it will be taken really seriously.

Official documentation:

  • The w3af user's guide can be found here .
  • A French translation of the users guide made by Jerome Athias can be found here .
  • The epydoc documentation for w3af can be found here .
  • The presentation materials used at the T2 conference can be found here .

External resources:
  • Josh Summit wrote a two part tutorial of w3af on his blog: 1 , 2 .
  • Fuzion wrote a windows installation tutorial on his blog .

top

Prerequisites and Installation

The installation procedure and the project prerequisites can be found in the users guide, which is available /home/dz0/bash_history Last modified here.

top

Mailing List and IRC channel

w3af has three mailing lists, one for users where end users can ask questions about the framework usage and its features; a developers mailing list were new features and advanced topics are discussed; and a third one which is used to notify developers about svn commits and tasks that have been created.

The mailing lists are open for any questions regarding w3af, but please read the documentation, the user guide and the mailing list archives before asking. For more information about the mailing lists, you can visit this the sourceforge page:

    Mailing list information

The w3af project also has an official IRC channel, where users and developers join to exchange ideas:

    #w3af channel at the Freenode IRC network

top

License

w3af is an Open Source software package. It is licensed under the GNU General Public License Version 2.

top

Download

xml feed
There are four different ways of getting your hands w3af:

- Download one of the release packages, which include files for Windows and Linux.

- Get the latest (and unstable) version from the development SVN using this command:

      svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af

- Download the Samurai Live CD, which has w3af preinstalled with all the dependencies but at this point the LiveCD does not include 1.0-rc3.

- Or run "apt-get install w3af" in your Debian system and get 1.0-rc2

top

Author

Andrés Riancho is an information security researcher, Director of Web security at Rapid7 and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

For any issues with the framework, please subscribe to the mailing list and make your questions there, for personal questions you can contact me at: andres -dot- riancho [at] gmail +dot+ com . This request is not in vain, if all w3af users send their emails directly to me and I answer them privately, no community is created and no synergy is achieved.

top