w3af is a Python-based web application security scanning framework. It identifies vulnerabilities through automated crawling, plugin-based testing, and an exploit framework for post-detection verification. The project receives limited maintenance since 2020, which is a concern given that the OWASP Top 10 was last updated in 2021 and web vulnerability patterns continue to evolve.
Holm Security sponsors w3af and uses it as part of their vulnerability assessment platform.
What w3af does
w3af crawls web applications, identifies attack surfaces like forms and parameters, and tests them with 200+ vulnerability detection plugins. The framework includes an exploit module for verifying findings and a GUI for manual testing alongside automated scans.
Written in Python, it runs on Linux, macOS, and Windows. The architecture separates crawling, auditing, and exploitation into distinct phases.
Key features
| Feature | Details |
|---|---|
| Vulnerability detection | XSS, SQLi, CSRF, LFI/RFI, command injection, XXE, SSRF, path traversal |
| Crawling | Follows links, parses forms, analyzes JavaScript, handles cookies |
| Output formats | Text, HTML, XML, CSV |
| Interfaces | GUI (GTK), CLI, REST API |
| Extensibility | Python-based plugin system for custom checks |
| Authentication | Form login, HTTP auth, cookie-based sessions |
| Proxy support | Routes traffic through Burp, ZAP, or other proxies |
Using w3af
Install w3af from source or Docker image. The GUI provides point-and-click scanning for manual testing. The CLI suits automation and CI/CD integration.
# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af
# Install dependencies
./w3af_console
# Start GUI
./w3af_gui
# Run CLI scan
./w3af_console -s scripts/scan_example.w3af
Example scan script:
plugins
discovery web_spider
audit xss, sqli, csrf
output console, html_file
target
set target http://example.com/
back
start
REST API
The w3af REST API enables programmatic scan control and result retrieval. Launch the API server and submit scan requests via HTTP.
# Start API server
./w3af_api
# Submit scan via curl (profile content is w3af scan script format)
curl -X POST http://localhost:5000/scans \
-H "Content-Type: application/json" \
-d '{"scan_profile": "<w3af_profile_content>", "target_urls": ["http://example.com/"]}'
# Check scan status
curl http://localhost:5000/scans/0/status
Current status
Development activity dropped significantly after 2020. The repository remains accessible and accepts contributions, but new releases are infrequent. Dependency updates lag behind Python ecosystem changes. According to the NIST National Vulnerability Database, new web application CVEs are published daily, and scanners that fall behind on updates risk missing detection of recent vulnerability classes.
Holm Security’s sponsorship keeps the project alive but does not drive active feature development. Most recent commits focus on bug fixes rather than new capabilities.
Alternatives to w3af
For actively developed DAST tools, OWASP ZAP provides comprehensive web application scanning with GUI, API, and CI/CD integrations. ZAP supports modern web frameworks, JavaScript rendering, and automated authentication.
Nuclei offers template-based vulnerability detection with 7000+ community templates. It runs faster than traditional crawlers for targeted checks.
Nikto focuses on web server and CGI scanning. It detects outdated software, dangerous files, and server misconfigurations.
For commercial web application testing, Burp Suite Professional combines manual and automated testing. Invicti provides automated scanning with proof-based verification to eliminate false positives.
Browse other DAST tools for web application security scanning options, or see our free DAST tools guide for actively maintained open-source alternatives.
Note: Limited maintenance since 2020. Still functional but development activity is minimal. Recommended for legacy use only. Evaluate actively maintained alternatives like ZAP or Nuclei for new projects.
