16 January 2008 | 9,492 views

w3af Fifth BETA for Download – Automated Web Auditing and Exploitation Framework

Don't let your data go over to the Dark Side!

As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

  • Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
  • w3afAgent, a reverse VPN that allows you to route packets through the compromised server
  • Good samaritan, a module that allows you to exploit blind sql injections much faster
  • 20+ new plugins
  • A lot of bug fixes
  • A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:


The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.


You can download w3af here:

w3af BETA5

Or read more here.


Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:
- w3af 1.0-rc3 Available For Download – Web Application Attack & Audit Framework
- w3af v1.1 Released For Download – Web Application Attack & Audit Framework
- w3af – Web Application Attack and Audit Framework

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 75,422 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,160 views
- SQLBrute – SQL Injection Brute Force Tool - 40,002 views

Advertise on Darknet

9 Responses to “w3af Fifth BETA for Download – Automated Web Auditing and Exploitation Framework”

  1. goodpeople 16 January 2008 at 12:11 pm Permalink

    There’s no download link!

  2. leyou 16 January 2008 at 1:50 pm Permalink


  3. Darknet 16 January 2008 at 5:07 pm Permalink

    Oops my bad, thanks leyou – I’ve added the download link in.

  4. Daniel 16 January 2008 at 7:12 pm Permalink

    I wish they’d sort out the annoying tidy issue:

    [daniel@touchme ~]$ w3af
    You have to install utidy lib.
    Error: No module named tidy

    even when utidy is installed and working

  5. goodpeople 17 January 2008 at 12:55 am Permalink

    When unpacking, my virusscanner trips over PHISH/Paypalfraud.T

  6. eM3rC 7 February 2008 at 5:36 am Permalink

    Never seem a program that just focuses on this. Thanks for the post Darknet.

    I have a quick question, by web vulnerability tool do you mean programs that operate within a webpage or actual exploits for the webpage you are viewing (or something else I am completely missing)?

  7. fuzion 30 July 2008 at 8:32 pm Permalink

    I wrote a script to update w3af and install the new prerequisites to use its new gtkUI:

  8. Rashid 16 August 2008 at 12:07 pm Permalink

    I have downloaded this script and installed all reqired packages but i m unable to find out utidy package on the net. Please tell me from where to get this package for fedora 8.

  9. fuzion 27 August 2008 at 12:28 am Permalink

    Get w3af via SVN and report any bugs you find.

    svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af

    More info: