Web application attack and audit framework
Recently Larry Suto published his second paper on web application security scanners (if you are wondering about his first one, you can find it here) and as expected it once again stirred up a couple of people.
And while he analyzed the most used web security scanners, I wonder if we could change our direction and focus on a not so well know, open source web application scanner.
Probably you’ve figured about now what I’m talking about, as writen in the title, I’m talking about “web application attack and audit framework” or w3af.
The authors describe it for short:
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
While this resembles the ideea (and direction) by which the project started, for me it seems that w3af is so much of a framework as Joomla! is for web applications development. I would rather call it a full featured web application testing platform.
Even if I’m not that big of a fan for automated vulnerability scanners, I have to admit that w3af has a nice series of discovery plugins which are enough reasons for me to give it thumbs up.
That’s all I wanted to share with you today. For more information about w3af I recommend their source forge page and Andre Riancho’s interview for OWASP podcast (this dude is the core developer of w3af)