w3af (Web Application Attack and Audit Framework) is an

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

web application security scanner A dynamic application security testing (DAST) is a non functional testing process where one can assess an application using certain techniques and the end result of such testing process covers security weaknesses and vulnerabilities present in an ap ...

. The project provides a

vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detecti ...

and exploitation tool for Web applications. It provides information about

security vulnerabilities Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

for use in

penetration testing A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...

engagements. The scanner offers a

graphical user interface The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, inste ...

and a

command-line interface A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...

Architecture

w3af is divided into two main parts, the core and the plug-ins.Part 1 of Andres Riancho’s presentation “w3af - A framework to 0wn the Web “at Sector 2009
Download PDF
/ref> The core coordinates the process and provides features that are consumed by the plug-ins, which find the vulnerabilities and exploit them. The plug-ins are connected and share information with each other using a knowledge base. Plug-ins can be categorized as Discovery, Audit,

Grep grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command ''g/re/p'' (''globally search for a regular expression and print matching lines''), which has the sam ...

, Attack, Output, Mangle, Evasion or Bruteforce.

History

w3af was started by Andres Riancho in March 2007, after many years of development by the community. In July 2010, w3af announced its sponsorship and partnership with

Rapid7 The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. It ...

. With Rapid7's sponsorship the project will be able to increase its development speed and keep growing in terms of users and contributors.

References

External links

*{{Official website
w3af documentation
Cyberwarfare Computer security software Electronic warfare Network analyzers Free security software Free network management software Cross-platform free software

Architecture

History

See also

References

External links