Jump to content
Sign in to follow this  

w3af vulnerability scanner tutorial

Recommended Posts


Hi Guys,

I found this cool tutorial on using W3AF ( web auditing and attack framework ) Offcourse you can use the GUI but as i started using Linux more and more i somehow felt in love with this CLI.

Get W3af (Allready included in Backtrack 5 -> Pentest/web/w3af)



w3af stands for web auditing and attack framework.I have heard some say that it is the metasploit for web applications. w3af is basically a free open source web application scanner. w3af has many plugins that are divided into attack, audit, exploit, discovery, evasion, bruteforce, mangle and a few others. The code is well commented and written in python so writing your own exploits and plugins should be trivial but i cannot say for sure since i have not tried as of yet. I will spent more time on this in later articles. This will be the first of many w3af tutorials.

Getting started

I have installed it on both ubuntu fiesty and cygwin for windows. Both installs are relatively painless. Just follow the instructions in the w3afUsersGude and you will be fine.

Once you have all the prerequisites then you can start w3af as follows:

$ ./w3af


Type help will give you a list of options.

w3af>>> help

The following commands are available:

help >> You are here. help [command] prints more specific help.

url-settings >> Configure the URL opener.

misc-settings >> Configure w3af misc settings.

session >> Load and save sessions.

plugins >> Enable, disable and configure plugins.

start >> Start site analysis.

exploit >> Exploit a vulnerability.

tools >> Enter the tools section.

target >> Set the target URL.

exit >> Exit w3af.


First we need to talk about how the interface for w3af is configured. You move forward by typing a given option and back by typing back. Type view to see a list of configurable options and use the set command to change the options. Below we will set the target. This will be the url that we will be auditing.


w3af>>> target

w3af/target>>> help

The following commands are available:

help >> You are here. help [command|parameter] prints more specific help.

set >> Set a parameter value.

view >> List all configuration parameters and current values.

back >> Return to previous menu.

w3af/target>>> view

Parameter Value Description

========= ===== ===========

target A comma separated list of URLs

w3af/target>>> set target http://localhost:8080

w3af/target>>> view

Now lets configure our plugins.

w3af/target>>> back

w3af>>> plugins

w3af/plugins>>> help

The following commands are available:

help >> You are here. help [command] prints more specific help.

list >> List all available plugins.

audit >> Enable and configure audit plugins.

bruteforce >> Enable and configure bruteforce plugins.

discovery >> Enable and configure discovery plugins.

evasion >> Enable and configure evasion plugins.

grep >> Enable and configure grep plugins.

mangle >> Enable and configure mangle plugins.

output >> Enable and configure output plugins.

back >> Return to previous menu.

To audit a web application we need at least three plugins configured. Audit, discovery, and output. Typing list plus the plugin will show all available options for the plugin. If you type list audit you will see all the auditing extensions like xss, xsrf, sql injection, ldap injection, etc. Type list discovery will display all discovery options.

Just typing the plugin name (i.e audit) will display which options are loaded. By default there are no options configured for any of the plugins. You will have to add them. Some examples would be:

w3af/plugins>>> audit xss,xsrf,sqli

To select a few options to load.


w3af/plugins>>> audit all

To load all options.

I am going to configure our webserver audit to test for Cross site Scripting, typical web server vulnerabilities, and we want it to spider (crawl) the entire site. We also want to save the results into an html audit report. To do this we need to run the following commands:

w3af/plugins>>> audit xss

w3af/plugins>>> audit

Enabled audit plugins:


w3af/plugins>>> discovery webSpider,pykto,hmap

w3af/plugins>>> discovery

Enabled discovery plugins:



w3af/plugins>>> output console,htmlFile

w3af/plugins>>> output

Enabled output plugins:



w3af/plugins>>> output config htmlFile

w3af/plugin/htmlFile>>> view

Parameter Value Description

========= ===== ===========

verbosity 0 Verbosity level for this plugin.

httpFileName output-http.txt File name where this plugin will write HTTP requests and responses

reportDebug False True if debug information will be appended to the report.

fileName report.html File name where this plugin will write to

I have just configured a basic audit with w3af to test for XSS. We initially set the target to be http://localhost/ so it will scan my local apache server. I used pykto which is a perl version of nikto to scan for webserver vulnerabilities. The webSpider plugin will do all the url crawling and create lists of urls to audit. The output plugins will write the results to the command line and the html file called report.html in your application folder. The html output will not be available until the audit is complete. hmap fingerprints the server. The output-http.txt records server requests and responses.

Start the audit as follows:

w3af/plugin/htmlFile>>> back

w3af/plugins>>> back

w3af>>> start

Be prepared to wait a while for the audit to complete.

w3af>>> start

Auto-enabling plugin: discovery.allowedMethods

Auto-enabling plugin: discovery.error404page

Auto-enabling plugin: discovery.serverHeader

The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1

Hmap plugin is starting. Fingerprinting may take a while.

The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2

pykto plugin is using “Apache/2.0.55 (Ubuntu) PHP/5.1.2″ as the remote server type. This information was obtained by hmap plugin.

pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used, the /icons directory should be removed. The vulnerability was found in the request with id 128.

pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /doc directory is browsable. This may be /usr/doc. The vulnerability was found in the request with id 1865.

pykto plugin found a vulnerability at URL: http://localhost/\> . Vulnerability description: The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. The vulnerability was found in the request with id 3385.

New URL found by discovery: http://localhost/

New URL found by discovery: http://localhost/test2.html

New URL found by discovery: http://localhost/xst2.html

New URL found by discovery: http://localhost/xst.html

New URL found by discovery: http://localhost/test.html

Happy testing ......

  • Like 1

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now
Sign in to follow this