Testing your web application for vulnerabilities | Part 1

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. It is developed using Python to be easy to use and extend, and licensed under GPLv2.0. w3af is fully extensible and if you need a plugin that is not available, then you can simply create it yourself. w3af is already installed in BackTrack 5.
> Open your BackTrack or kali linux
> Select Applications -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Vulnerability Scanners -> w3af console or w3af gui.
In the example below we are going to use w3af’s web spider-crawler plugin.
Open w3af console and follow these steps to crawl your target.
Set your target


press enter.

set target http://target_url

press enter.
Go back


press enter.
Configure plugin


press enter.

discovery config webSpider

press enter.


press enter. For our example we are going to leave everything as it is.
Go back


press enter.
Enable webSpider plugin

discovery webSpider

press enter.
Check which discovery plugins are enabled

list discovery enabled

press enter. You should see webSpider in the list!
Select report format

output htmlFile

press enter. There are 8 format types. Type help for more info.
Start crawling
Go back


press enter.


press enter.
You can get more help on any step by executing


To cancel scanning hit ctrl+c and enter.
View the results
Open file report.html from folder /pentest/web/w3af.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s