W3af Web Application Attack Framework Cheat Sheet

Overview

W3af (Web Application Attack and Audit Framework) is a comprehensive open-source web application security scanner. It provides a complete framework for finding and exploiting web application vulnerabilities, featuring discovery, audit, and attack plugins for thorough security assessments.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using against any target.

Installation

Ubuntu/Debian Installation

bash

# Install dependencies
sudo apt update
sudo apt install python3-pip python3-dev build-essential libssl-dev libffi-dev python3-setuptools

# Install w3af
git clone https://github.com/andresriancho/w3af.git
cd w3af

# Install Python dependencies
pip3 install -r requirements.txt

# Run dependency check
python3 w3af_console

# Install missing dependencies if prompted
./w3af_dependency_install.sh

Manual Installation

bash

# Clone repository
git clone https://github.com/andresriancho/w3af.git
cd w3af

# Install dependencies manually
sudo apt install python3-pip python3-dev python3-setuptools
sudo apt install libxml2-dev libxslt1-dev zlib1g-dev
sudo apt install libyaml-dev libssl-dev libffi-dev

# Install Python packages
pip3 install --user -r requirements.txt

# Test installation
python3 w3af_console

Docker Installation

bash

# Pull Docker image
docker pull andresriancho/w3af

# Run with Docker
docker run -it andresriancho/w3af

# Run with volume mount
docker run -it -v $(pwd):/tmp/w3af andresriancho/w3af

Kali Linux

bash

# W3af is pre-installed in Kali
w3af_console

# If not installed
sudo apt update
sudo apt install w3af

Basic Usage

Console Interface

bash

# Start w3af console
w3af_console

# GUI interface (if available)
w3af_gui

# Help commands
w3af>>> help
w3af>>> help plugins
w3af>>> help target

Basic Commands

bash

# Set target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> back

# View current configuration
w3af>>> target view

# Start scan
w3af>>> start

# Exit
w3af>>> exit

Plugin Categories

Discovery Plugins

Plugin	Description
`web_spider`	Web application spider
`dir_file_bruter`	Directory and file brute forcer
`dns_wildcard`	DNS wildcard detection
`robots_txt`	Robots.txt analyzer
`sitemap_xml`	Sitemap.xml parser
`google_spider`	Google search spider
`bing_spider`	Bing search spider

Audit Plugins

Plugin	Description
`sqli`	SQL injection detection
`xss`	Cross-site scripting detection
`csrf`	Cross-site request forgery
`lfi`	Local file inclusion
`rfi`	Remote file inclusion
`os_commanding`	OS command injection
`xpath`	XPath injection
`ldapi`	LDAP injection

Attack Plugins

Plugin	Description
`sqlmap`	SQL injection exploitation
`shell_shock`	Shellshock exploitation
`file_upload`	File upload exploitation
`dav`	WebDAV exploitation
`rfi`	Remote file inclusion exploitation

Configuration and Setup

Basic Configuration

bash

# Configure target
w3af>>> target
w3af/config:target>>> set target http://target.com/
w3af/config:target>>> set target_os unix
w3af/config:target>>> set target_framework php
w3af/config:target>>> back

# Configure HTTP settings
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Custom W3af Scanner)"
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> back

Authentication Configuration

bash

# Basic authentication
w3af>>> http-settings
w3af/config:http-settings>>> set basic_auth_user username
w3af/config:http-settings>>> set basic_auth_passwd password
w3af/config:http-settings>>> set basic_auth_domain target.com
w3af/config:http-settings>>> back

# Cookie authentication
w3af>>> http-settings
w3af/config:http-settings>>> set cookie "PHPSESSID=abc123; auth=token"
w3af/config:http-settings>>> back

# Custom headers
w3af>>> http-settings
w3af/config:http-settings>>> set headers "Authorization: Bearer token123"
w3af/config:http-settings>>> back

Proxy Configuration

bash

# Configure proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> set proxy_username proxy_user
w3af/config:http-settings>>> set proxy_password proxy_pass
w3af/config:http-settings>>> back

Discovery Phase

Web Spider Configuration

bash

# Configure web spider
w3af>>> plugins
w3af/plugins>>> discovery web_spider
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward True
w3af/plugins/discovery/config:web_spider>>> set ignore_regex ".*\.(jpg|jpeg|png|gif|pdf|zip)$"
w3af/plugins/discovery/config:web_spider>>> set follow_regex ".*"
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back

Directory Brute Force

bash

# Configure directory brute forcer
w3af>>> plugins
w3af/plugins>>> discovery dir_file_bruter
w3af/plugins>>> discovery config dir_file_bruter
w3af/plugins/discovery/config:dir_file_bruter>>> set wordlist /usr/share/wordlists/dirb/common.txt
w3af/plugins/discovery/config:dir_file_bruter>>> set file_extensions php,html,txt,js
w3af/plugins/discovery/config:dir_file_bruter>>> set be_recursive True
w3af/plugins/discovery/config:dir_file_bruter>>> back
w3af/plugins>>> back

Comprehensive Discovery Setup

bash

# Enable multiple discovery plugins
w3af>>> plugins
w3af/plugins>>> discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
w3af/plugins>>> discovery config web_spider
w3af/plugins/discovery/config:web_spider>>> set only_forward False
w3af/plugins/discovery/config:web_spider>>> back
w3af/plugins>>> back

Audit Phase

SQL Injection Detection

bash

# Configure SQL injection plugin
w3af>>> plugins
w3af/plugins>>> audit sqli
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set check_numeric True
w3af/plugins/audit/config:sqli>>> set check_string True
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back

Cross-Site Scripting (XSS)

bash

# Configure XSS plugin
w3af>>> plugins
w3af/plugins>>> audit xss
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> set check_persistent_xss True
w3af/plugins/audit/config:xss>>> set check_reflected_xss True
w3af/plugins/audit/config:xss>>> back
w3af/plugins>>> back

File Inclusion Vulnerabilities

bash

# Configure LFI/RFI plugins
w3af>>> plugins
w3af/plugins>>> audit lfi, rfi
w3af/plugins>>> audit config lfi
w3af/plugins/audit/config:lfi>>> set use_time_delay True
w3af/plugins/audit/config:lfi>>> set use_echo True
w3af/plugins/audit/config:lfi>>> back
w3af/plugins>>> back

Comprehensive Audit Setup

bash

# Enable all major audit plugins
w3af>>> plugins
w3af/plugins>>> audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath, ldapi
w3af/plugins>>> back

Attack Phase

SQL Injection Exploitation

bash

# Configure SQLMap integration
w3af>>> plugins
w3af/plugins>>> attack sqlmap
w3af/plugins>>> attack config sqlmap
w3af/plugins/attack/config:sqlmap>>> set sqlmap_path /usr/bin/sqlmap
w3af/plugins/attack/config:sqlmap>>> set exploit_all True
w3af/plugins/attack/config:sqlmap>>> back
w3af/plugins>>> back

File Upload Exploitation

bash

# Configure file upload attack
w3af>>> plugins
w3af/plugins>>> attack file_upload
w3af/plugins>>> attack config file_upload
w3af/plugins/attack/config:file_upload>>> set extensions php,asp,aspx,jsp
w3af/plugins/attack/config:file_upload>>> back
w3af/plugins>>> back

Shell Access

bash

# Configure shell access
w3af>>> plugins
w3af/plugins>>> attack shell_shock
w3af/plugins>>> back

# After successful exploitation
w3af>>> exploit
w3af>>> shell
shell>>> whoami
shell>>> pwd
shell>>> exit

Output and Reporting

Output Configuration

bash

# Configure output plugins
w3af>>> plugins
w3af/plugins>>> output console, text_file, html_file
w3af/plugins>>> output config text_file
w3af/plugins/output/config:text_file>>> set output_file /tmp/w3af_report.txt
w3af/plugins/output/config:text_file>>> set verbose True
w3af/plugins/output/config:text_file>>> back
w3af/plugins>>> back

HTML Report Generation

bash

# Configure HTML report
w3af>>> plugins
w3af/plugins>>> output html_file
w3af/plugins>>> output config html_file
w3af/plugins/output/config:html_file>>> set output_file /tmp/w3af_report.html
w3af/plugins/output/config:html_file>>> back
w3af/plugins>>> back

XML Report Generation

bash

# Configure XML report
w3af>>> plugins
w3af/plugins>>> output xml_file
w3af/plugins>>> output config xml_file
w3af/plugins/output/config:xml_file>>> set output_file /tmp/w3af_report.xml
w3af/plugins/output/config:xml_file>>> back
w3af/plugins>>> back

Advanced Configuration

Custom Payloads

bash

# Create custom payload file
echo -e "' OR 1=1--\n\" OR 1=1--\n' UNION SELECT 1,2,3--" > custom_sqli.txt

# Configure custom payloads
w3af>>> plugins
w3af/plugins>>> audit config sqli
w3af/plugins/audit/config:sqli>>> set payloads_file /path/to/custom_sqli.txt
w3af/plugins/audit/config:sqli>>> back
w3af/plugins>>> back

Form Authentication

bash

# Configure form authentication
w3af>>> plugins
w3af/plugins>>> discovery form_auth
w3af/plugins>>> discovery config form_auth
w3af/plugins/discovery/config:form_auth>>> set username admin
w3af/plugins/discovery/config:form_auth>>> set password password123
w3af/plugins/discovery/config:form_auth>>> set username_field username
w3af/plugins/discovery/config:form_auth>>> set password_field password
w3af/plugins/discovery/config:form_auth>>> set login_form_url http://target.com/login.php
w3af/plugins/discovery/config:form_auth>>> back
w3af/plugins>>> back

Session Management

bash

# Configure session handling
w3af>>> http-settings
w3af/config:http-settings>>> set max_file_size 1000000
w3af/config:http-settings>>> set max_http_retries 3
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file /path/to/headers.txt
w3af/config:http-settings>>> back

Scripting and Automation

W3af Script Files

python

# Create w3af script file (scan_script.w3af)
target
set target http://target.com/
back

plugins
discovery web_spider, dir_file_bruter, robots_txt
audit sqli, xss, csrf, lfi, rfi
output console, text_file
output config text_file
set output_file /tmp/w3af_scan.txt
back
back

start

Running Scripts

bash

# Run w3af script
w3af_console -s scan_script.w3af

# Run with profile
w3af_console -p OWASP_TOP10

# Run in batch mode
echo "target; set target http://target.com/; back; start" | w3af_console

Python API Usage

python

#!/usr/bin/env python3
import w3af.core.controllers.w3afCore as w3afCore
import w3af.core.data.kb.knowledgeBase as kb

# Initialize w3af core
w3af = w3afCore.w3afCore()

# Set target
target_url = "http://target.com/"
w3af.target.set_target(target_url)

# Configure plugins
w3af.plugins.set_plugins(['web_spider'], 'discovery')
w3af.plugins.set_plugins(['sqli', 'xss'], 'audit')

# Start scan
w3af.start()

# Get vulnerabilities
vulns = kb.kb.get_all_vulns()
for vuln in vulns:
    print(f"Vulnerability: {vuln.get_name()}")
    print(f"URL: {vuln.get_url()}")
    print(f"Severity: {vuln.get_severity()}")
    print("---")

Profiles and Templates

Built-in Profiles

bash

# List available profiles
w3af>>> profiles
w3af>>> profiles use OWASP_TOP10
w3af>>> profiles use fast_scan
w3af>>> profiles use full_audit

# View profile configuration
w3af>>> profiles view OWASP_TOP10

Creating Custom Profiles

bash

# Save current configuration as profile
w3af>>> profiles
w3af/profiles>>> save_as custom_profile

# Load custom profile
w3af/profiles>>> use custom_profile
w3af/profiles>>> back

Profile Configuration Files

python

# Create custom profile file (custom_scan.pw3af)
[target]
target = http://target.com/

[plugins]
discovery = web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit = sqli, xss, csrf, lfi, rfi, os_commanding
attack = sqlmap, file_upload

[discovery.web_spider]
only_forward = False
ignore_regex = .*\.(jpg|jpeg|png|gif|pdf|zip)$

[audit.sqli]
check_numeric = True
check_string = True

[output]
output = console, text_file
text_file.output_file = /tmp/custom_scan.txt

Integration with Other Tools

Burp Suite Integration

bash

# Configure w3af to use Burp as proxy
w3af>>> http-settings
w3af/config:http-settings>>> set proxy_address 127.0.0.1
w3af/config:http-settings>>> set proxy_port 8080
w3af/config:http-settings>>> back

# Export findings to Burp format
w3af>>> plugins
w3af/plugins>>> output burp_export
w3af/plugins>>> back

Metasploit Integration

bash

# Export vulnerabilities for Metasploit
w3af>>> plugins
w3af/plugins>>> output metasploit_export
w3af/plugins>>> output config metasploit_export
w3af/plugins/output/config:metasploit_export>>> set output_file /tmp/w3af_msf.rc
w3af/plugins/output/config:metasploit_export>>> back
w3af/plugins>>> back

# Use in Metasploit
msfconsole -r /tmp/w3af_msf.rc

OWASP ZAP Integration

bash

# Export to ZAP format
w3af>>> plugins
w3af/plugins>>> output zap_export
w3af/plugins>>> output config zap_export
w3af/plugins/output/config:zap_export>>> set output_file /tmp/w3af_zap.xml
w3af/plugins/output/config:zap_export>>> back
w3af/plugins>>> back

Performance Optimization

Threading Configuration

bash

# Configure threading
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_discovery_time 600
w3af/config:misc-settings>>> set max_scan_time 3600
w3af/config:misc-settings>>> set thread_number 10
w3af/config:misc-settings>>> back

Memory Management

bash

# Configure memory settings
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 1000000
w3af/config:misc-settings>>> set max_requests_per_second 20
w3af/config:misc-settings>>> back

Rate Limiting

bash

# Configure rate limiting
w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 5
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back

Troubleshooting

Common Issues

bash

# SSL certificate issues
w3af>>> http-settings
w3af/config:http-settings>>> set ignore_session_cookies True
w3af/config:http-settings>>> set cookie_jar_file /tmp/cookies.txt
w3af/config:http-settings>>> back

# Memory issues
w3af>>> misc-settings
w3af/config:misc-settings>>> set max_file_size 500000
w3af/config:misc-settings>>> set thread_number 5
w3af/config:misc-settings>>> back

# Timeout issues
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 60
w3af/config:http-settings>>> set max_http_retries 5
w3af/config:http-settings>>> back

Debug Mode

bash

# Enable debug output
w3af>>> misc-settings
w3af/config:misc-settings>>> set debug True
w3af/config:misc-settings>>> back

# View debug information
w3af>>> kb
w3af/kb>>> list vulns
w3af/kb>>> list info
w3af/kb>>> back

Log Analysis

bash

# View w3af logs
tail -f ~/.w3af/w3af.log

# Enable verbose logging
w3af>>> misc-settings
w3af/config:misc-settings>>> set verbose True
w3af/config:misc-settings>>> back

Best Practices

Scanning Strategy

Start with discovery: Use comprehensive discovery plugins first
Targeted auditing: Focus audit plugins on discovered attack surface
Gradual escalation: Start with safe plugins, then move to intrusive ones
Regular updates: Keep w3af and its plugins updated
Custom payloads: Create custom payloads for specific applications

Performance Considerations

bash

# Optimized configuration for large applications
w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 15
w3af/config:misc-settings>>> set max_discovery_time 1800
w3af/config:misc-settings>>> set max_scan_time 7200
w3af/config:misc-settings>>> back

w3af>>> http-settings
w3af/config:http-settings>>> set max_requests_per_second 10
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> back

Stealth Scanning

bash

# Stealth configuration
w3af>>> http-settings
w3af/config:http-settings>>> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
w3af/config:http-settings>>> set max_requests_per_second 2
w3af/config:http-settings>>> set timeout 45
w3af/config:http-settings>>> back

w3af>>> misc-settings
w3af/config:misc-settings>>> set thread_number 3
w3af/config:misc-settings>>> back

Automation Scripts

Comprehensive Scan Script

bash

#!/bin/bash

TARGET=$1
OUTPUT_DIR="w3af_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

# Create w3af script
cat > "$OUTPUT_DIR/scan.w3af" << EOF
target
set target $TARGET
back

plugins
discovery web_spider, dir_file_bruter, robots_txt, sitemap_xml
audit sqli, xss, csrf, lfi, rfi, os_commanding, xpath
output console, text_file, html_file
output config text_file
set output_file $OUTPUT_DIR/w3af_report.txt
back
output config html_file
set output_file $OUTPUT_DIR/w3af_report.html
back
back

start
EOF

# Run scan
echo "[+] Starting w3af scan for $TARGET"
w3af_console -s "$OUTPUT_DIR/scan.w3af"

echo "[+] Scan complete. Results saved in $OUTPUT_DIR/"

Batch Scanning Script

bash

#!/bin/bash

TARGETS_FILE=$1
OUTPUT_BASE="w3af_batch_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGETS_FILE" ]; then
    echo "Usage: $0 <targets_file>"
    exit 1
fi

mkdir -p $OUTPUT_BASE

while read target; do
    if [ ! -z "$target" ]; then
        echo "[+] Scanning $target"
        target_dir="$OUTPUT_BASE/$(echo $target | sed 's|https\?://||' | sed 's|/|_|g')"
        mkdir -p "$target_dir"
        
        cat > "$target_dir/scan.w3af" << EOF
target
set target $target
back

plugins
discovery web_spider, dir_file_bruter
audit sqli, xss, csrf
output text_file
output config text_file
set output_file $target_dir/report.txt
back
back

start
EOF
        
        w3af_console -s "$target_dir/scan.w3af"
    fi
done < $TARGETS_FILE

echo "[+] Batch scanning complete. Results in $OUTPUT_BASE/"

Resources

This cheat sheet provides a comprehensive reference for using W3af. Always ensure you have proper authorization before conducting web application security testing.

W3af Web Application Attack Framework Cheat Sheet ​

Overview ​

Installation ​

Ubuntu/Debian Installation ​

Manual Installation ​

Docker Installation ​

Kali Linux ​

Basic Usage ​

Console Interface ​

Basic Commands ​

Plugin Categories ​

Discovery Plugins ​

Audit Plugins ​

Attack Plugins ​

Configuration and Setup ​

Basic Configuration ​

Authentication Configuration ​

Proxy Configuration ​

Discovery Phase ​

Web Spider Configuration ​

Directory Brute Force ​

Comprehensive Discovery Setup ​

Audit Phase ​

SQL Injection Detection ​

Cross-Site Scripting (XSS) ​

File Inclusion Vulnerabilities ​

Comprehensive Audit Setup ​

Attack Phase ​

SQL Injection Exploitation ​

File Upload Exploitation ​

Shell Access ​

Output and Reporting ​

Output Configuration ​

HTML Report Generation ​

XML Report Generation ​

Advanced Configuration ​

Custom Payloads ​

Form Authentication ​

Session Management ​

Scripting and Automation ​

W3af Script Files ​

Running Scripts ​

Python API Usage ​

Profiles and Templates ​

Built-in Profiles ​

Creating Custom Profiles ​

Profile Configuration Files ​

Integration with Other Tools ​

Burp Suite Integration ​

Metasploit Integration ​

OWASP ZAP Integration ​

Performance Optimization ​

Threading Configuration ​

Memory Management ​

Rate Limiting ​

Troubleshooting ​

Common Issues ​

Debug Mode ​

Log Analysis ​

Best Practices ​

Scanning Strategy ​

Performance Considerations ​

Stealth Scanning ​

Automation Scripts ​

Comprehensive Scan Script ​

Batch Scanning Script ​

Resources ​

W3af Web Application Attack Framework Cheat Sheet

Overview

Installation

Ubuntu/Debian Installation

Manual Installation

Docker Installation

Kali Linux

Basic Usage

Console Interface

Basic Commands

Plugin Categories

Discovery Plugins

Audit Plugins

Attack Plugins

Configuration and Setup

Basic Configuration

Authentication Configuration

Proxy Configuration

Discovery Phase

Web Spider Configuration

Directory Brute Force

Comprehensive Discovery Setup

Audit Phase

SQL Injection Detection

Cross-Site Scripting (XSS)

File Inclusion Vulnerabilities

Comprehensive Audit Setup

Attack Phase

SQL Injection Exploitation

File Upload Exploitation

Shell Access

Output and Reporting

Output Configuration

HTML Report Generation

XML Report Generation

Advanced Configuration

Custom Payloads

Form Authentication

Session Management

Scripting and Automation

W3af Script Files

Running Scripts

Python API Usage

Profiles and Templates

Built-in Profiles

Creating Custom Profiles

Profile Configuration Files

Integration with Other Tools

Burp Suite Integration

Metasploit Integration

OWASP ZAP Integration

Performance Optimization

Threading Configuration

Memory Management

Rate Limiting

Troubleshooting

Common Issues

Debug Mode

Log Analysis

Best Practices

Scanning Strategy

Performance Considerations

Stealth Scanning

Automation Scripts

Comprehensive Scan Script

Batch Scanning Script

Resources