Open SourceW3af Open Source App Vulnerability Testing Hits 1.0

W3af Open Source App Vulnerability Testing Hits 1.0 content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The w3af Web Application Attack and Audit Framework is finally stable.

The open source w3af project released a 1.0 stable version this week after five release candidates and months of development. W3af enables developers and security researchers to audit, discover and test Web applications for vulnerabilities.

“This is our first stable release, named w3af 1.0-stable, and we’re pretty confident on the quality of our code at this moment, so we’ve dared to tag it as stable,” Andres Riancho, Director of Web Security at Rapid7 and w3af Founder told

One of the key features in w3af 1.0 is the infusion of Web application payloads. Riancho explained that the payloads are post exploitation “scripts” that allow the security researcher to keep elevating privileges on the remote system.


The w3af 1.0 release also includes a PHP static code analyzer (SCA) that can help developers to identify flaws such as SQL injections, remote file includes and OS commanding.

“For now, we’ve only developed checks for those vulnerabilities, but the plan is to keep improving the SCA,” Riancho said.

That said, Riancho noted that the PHP SCA can be used to find some interesting multi-layered code flaws.

“There is a very interesting story we can tell about the PHP SCA, where a w3af user finds an arbitrary file read, uses the get_source_code payload to download the application’s source,” Riancho said. “The user then uses the php_sca payload to identify an OS commanding and finally exploits that vulnerability to gain full access to the remote system. All of that, using w3afand in an automated way.”

While w3af can find PHP code flaws that can lead to SQL Injection attacks, the framework does not actually look at the underlying database.

“For now w3af is only focused on the Web applications,” Riancho said. “At this moment w3af only talks HTTP to the remote server.”

W3af vs. Metasploit

The w3af project is sponsored by security vendor Rapid7, which also sponsors the open source Metasploit vulnerability testing framework.

“For a very detailed Web application assessment, I would recommend w3af,” Riancho said. “On the other side, if you want to exploit vulnerabilities, Metasploit is what you want.”

With the w3af 1.0 stable release now available, Riancho noted that the goal of the project moving forward is on improving performance, false positives and false negatives .

“Our next plans are to work on performance, reducing CPU and memory usage, usability and reviewing our vulnerability detection heuristics in order to reduce our false negatives and positives,” Riancho said. “Those improvements will keep us busy for a couple of months and will be a major part of the 1.1 release. After that, no idea about which our priorities will be. We usually simply listen to the community, if they complain about X a lot, then X becomes a priority for us.”

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories