Web Application Attack and Audit Framework 1.0 Released

Friday, June 03, 2011



Web Application Attack and Audit Framework (w3af) has released a new stable version, and the project aims to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

"w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more."

In this latest release we find some important improvements include:

  • Stable code base, an improvement that will reduce your w3af crashes to a minimum.
  • Auto-Update, which will allow you to keep your w3af installation updated without any effort. Always get the latest and greatest from w3af contributors!
  • Web Application Payloads, for people that enjoy exploitation techniques, this is one of the most interesting things you’ll see in web application security! W3af created various layers of abstraction around an exploited vulnerability in order to be able to write payloads that use emulated syscalls to read, write and execute files on the compromised web server.
  • PHP static code analyzer, as part of a couple of experiments and research projects, Javier Andalia created a PHP static code analyzer that performs tainted mode analysis of PHP code in order to identify SQL injections, OS Commanding and Remote File Includes. At this time you can use this very interesting feature as a web application payload. After exploiting vulnerability try: “payload php_sca”, that will download the remote PHP code to your box and analyze it to find more vulnerabilities!

You can download Web Application Attack and Audit Framework on Sourceforge.

Contributed by SecTechno

Possibly Related Articles:
SQl Injection Code Review Hacking Web Application Security Tools Penetration Testing Exploits Headlines Cross Site Scripting w3af
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.