From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This document is a Step-by-Step Guide on how to use w3af. w3af is a fully comprehensive environment for web application testing and exploitation. It provides a solid platform for web vulnerability assessments and penetration testing. w3af is able to identify 200+ vulnerabilities, including Cross-Site Scripting (XSS), SQL injection and OS commanding.


  • Linux-based System - preferably Ubuntu 12.04 LTS
  • Python2



Enter these commands in the shell

sudo apt-get install git
sudo apt install python2.7
git clone git@github.com:andresriancho/w3af.git
cd w3af/

In short, what happens here:

  • We use git to download w3af’s source code
  • Then we run w3af_gui, which will fail, because we have to install dependencies. This will create the file w3af_dependency_install.sh.
  • Next we install the dependencies with ./w3af_dependency_install.sh

Edit (Jan. 2023): Currently there might be new errors starting w3af_gui, therefore you might have to downgrade specific dependencies/packets or use an older OS (i.e. Ubuntu 12.04).


This is how the GUI looks like:


On the left hand side, you can find different profiles, that have different plugins to select and configure. Under the plugin section, there are different plugin groups:

  • audit
  • bruteforce
  • crawl
  • infrastructure
  • evasion
  • grep
  • mangle
  • output

After selecting a plugin, in the window on the right is a description regarding the plugin and its configurations. To configure the plugin, just select it, and modify the options that appears in the right window. You need to save the configuration to use it.

To finish the configuration for the scan, you need to insert a target URL in the upper text entry.

After selecting the profile, the plugins and typed in the URL, you can start the scan with clicking on start.

After starting the scan, the Log Pane will be opened, where in the upper part you have the logging text & below that messages you can see what the system is currently doing. Also on the right bottom side, there are three indicators showing the quantity of information items found, vulnerabilities found, & the shell, which were successfully exploited.


During the scan or after finishing the scan, you can look in the results tab:


On the left side, it shows you the vulnerabilities and informations. When selecting one of the items, and that item corresponds to a HTTP request originated by the scanning, you can see it on the right side with its information. The colours indicate the severity of the vulnerability and have the following meaning:

  • black for information,
  • orange for low severity
  • red for medium/high severity.


We can also use exploits in w3af:


In order to exploit a vulnerability, you need to drag the exploit to the vulnerability you want to exploit and drop it there. This drag-and-drop process is all you need to activate a particular vulnerability.

Apart from the w3af core functionality, that is to scan for vulnerabilities and exploit them, there are other tools that can be used, to find them follow the guide (Tools section) under the References section.