W3af
Open-source web application security scanner
title: "W3af" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["cyberwarfare", "computer-security-software", "electronic-warfare", "network-analyzers", "free-security-software", "free-network-management-software", "cross-platform-free-software"] description: "Open-source web application security scanner" topic_path: "technology/computing" source: "https://en.wikipedia.org/wiki/W3af" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0
::summary Open-source web application security scanner ::
::data[format=table title="Infobox software"]
| Field | Value |
|---|---|
| name | w3af |
| logo | W3af project logo.png |
| logo size | 124px |
| caption | "Web Application Attack and Audit Framework" |
| screenshot | w3af-screenshot.png |
| developer | Andres Riancho |
| latest release version | |
| latest release date | |
| latest preview date | |
| operating system | Windows, OS X, Linux, FreeBSD, OpenBSD |
| programming language | Python |
| genre | Computer security |
| license | GPLv2 |
| website | |
| :: |
| name = w3af | logo = W3af project logo.png | logo size = 124px | caption = "Web Application Attack and Audit Framework" | screenshot = w3af-screenshot.png | developer = Andres Riancho | latest release version = | latest release date = | latest preview version = | latest preview date = | operating system = Windows, OS X, Linux, FreeBSD, OpenBSD | programming language = Python | genre = Computer security | license = GPLv2 | website =
w3af (Web Application Attack and Audit Framework) is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities for use in penetration testing engagements. The scanner offers a graphical user interface and a command-line interface.
A fork has been made by the original authors under the name w4af, originally in an attempt to upgrade the code base to use Python 3 instead of Python 2.
Architecture
w3af is divided into two main parts, the core and the plug-ins. The core coordinates the process and provides features that are consumed by the plug-ins, which find the vulnerabilities and exploit them. The plug-ins are connected and share information with each other using a knowledge base.
Plug-ins can be categorized as Discovery, Audit, Grep, Attack, Output, Mangle, Evasion or Bruteforce.
History
w3af was started by Andres Riancho in March 2007, after many years of development by the community. In July 2010, w3af announced its sponsorship and partnership with Rapid7. With Rapid7's sponsorship the project will be able to increase its development speed and keep growing in terms of users and contributors.
References
References
- "Official website".
- link. (2013-11-05)
- "w4af: web advanced application attack and audit framework, the open source web vulnerability scanner.". Github.com.
- "w4af/w4af at 978132a428e7997d88e160e61356fd8f42d22542". Github.com.
- Part 1 of Andres Riancho’s presentation “w3af - A framework to 0wn the Web “at Sector 2009, [https://sector.ca/wp-content/uploads/presentations09/w3af%20in%20150%20minutes%20-%20part%201.pdf Download PDF] {{Archive url. link. (2017-11-14)
::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::