The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much

Finally it’s out of BETA and RC and there’s now a stable core for the codebase.

New in v1.1

• Considerably increased performance by implementing gzip encoding
• Enhanced embedded bug report system using Trac’s XMLRPC
• Fixed hundreds of bugs
• Fixed critical bug in auto-update feature
• Enhanced integration with other tools (bug fixed and addedmore info to the file)

You can download w3af v1.1 here:

w3af-1.1.tar.bz2

Or you can read more here.

Our last mention of w3af was back in 2008 when the fifth BETA was released, the team have recently released a new version 1.0 – Release Candidate 3.

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

New Features

• Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
• Increased speed by rewriting parts of the thread management code
• Fixed tons of bugs
• Reduced memory usage
• Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
• Reduced false positives

You can download w3af 1.0-rc3 here:

Windows – w3af-1.0-rc3.exe
Linux/BSD/Mac – w3af-1.0-rc3.tar.bz2

Or read more here.

As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

• Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
• w3afAgent, a reverse VPN that allows you to route packets through the compromised server
• Good samaritan, a module that allows you to exploit blind sql injections much faster
• 20+ new plugins
• A lot of bug fixes
• A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:

w3afUsersGuide.pdf

The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.

w3af-T2.pdf

You can download w3af here:

w3af BETA5

Or read more here.

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

• SQL injection detection
• XSS detection
• SSI detection
• Local file include detection
• Remote file include detection
• Buffer Overflow detection
• Format String bugs detection
• OS Commanding detection
• Response Splitting detection
• LDAP Injection detection
• Basic Authentication bruteforce
• File upload inside webroot
• htaccess LIMIT misconfiguration
• SSL certificate validation
• XPATH injection detection
• unSSL (HTTPS documents can be fetched using HTTP)

Discovery

• Pykto, a nikto port to python
• Hmap, http fingerprinting.
• fingerGoogle, finds valid user accounts in google.
• googleSpider, a spider that uses google.
• webSpider, a classic web spider.
• robotsReader
• urlFuzzer
• serverHeader, fetches server header
• allowedMethods, gets a list of allowed HTTP methods.
• crossDomain, get and parse the flash file crossdomain.xml
• error404page, generate a regular expression to match 404 pages.
• sitemapReader, read googles sitemap.xml and parse it.
• spiderMan, using a localproxy and a human, find new URLs for auditing.
• webDiff, find differences between a local and a remote directory.
• wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.