w3af, tool to detect web vulnerabilities

w3af (Web Application Attack and Audit Framework) is an open source audit tool that allows detect web vulnerabilities and exploit them. It is quite simple to use and very useful to automate different analyzes in a single process.

Basically you work with 4 tabs, in Analysis settings the objective is indicated and the plugins or scanners that you want to use are selected; in Log you can see the status of the process; in Results vulnerabilities detected in great detail (SQL Injection, Cross Site Scripting, Full Path Disclosure, File Inclusion, etc); and finally from the tab Exploit these failures can be exploited.

If you want to understand a little more the scope of this type of tools I recommend you read this article from Infosec Resources (in English), it is shown as an example as a sql injection vulnerability detected with w3af, it allows to obtain the passwords of a blog in WordPress .

Of course, w3af does not seek to be a malicious hacking program, although it seems that with a few simple clicks you can do everything, you need to have some knowledge and a desire to understand what is happening in order to take advantage of it.

The project was born in 2006 by Andrs Riancho, founder of the security company Bonsai, and today it has the support of the entire community of web security specialists.

Download: w3af.sourceforge.net/#download

It can be installed on Windows (see installation demo) and Linux (apt-get install w3af), if you have Backtrack you can run the graphic interface from / pentest / web / w3af ./w3af_gui

If you are going to start playing with it, I recommend doing it in a controlled environment, it is the best way to test it, experiment and learn 🙂

See also: Vulnerability scanner in WordPress and brute force attack SP Toolkit, a phishing kit to educate users with real attacks.