w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. This project is currently hosted at SourceForge . For further information, you may also want to visit w3af SourceForge project page .

If you are here just to “take a look” these screenshots and videos will show you what w3af can do:

  • OS commanding detection and exploit (console user interface) – Screenshot
  • OS commanding and DAV misconfiguration detection and exploit (console user interface) – Screenshot
  • Blind SQL Injection exploit (console user interface) – Screenshot
  • OS commanding detection and exploit (pyGTK user interface) – Video

Project news

  • Windows installerMon, 02 Jun 2008 13:41:14 GMT
      I’m glad to announce that Ulises Cuñe has finished the first version of the windows installer! He has done a great work with it, and now it is available for download at http://w3af.sourceforge.net/#download . We have tested it in windows XP, windows 2000 and windows Vista and it seems to work as expected on all of them. This is a big step in our project, we expect to get a lot of new users with this installer! (0 comments)
  • beta6 release!Sat, 12 Apr 2008 13:36:01 GMT
      I uploaded beta6 to sourceforge file release system some minutes ago. I released it today because I think that beta5 is really outdated and not many new users download the svn version, which creates some problems. Beta6 introduces some new features like the GTK user interface, new plugins and A LOT of bug fixes that were reported by our users.

      I would like to thank everyone who contributed with this release, specially Sasha, Facundo and Ulises. I would also like to thank our sponsors, Cybsec and Openware for their support and their open source initiative.

      I hope you enjoy it and please report any bugs! =) (0 comments)

  • SponsorsMon, 10 Mar 2008 01:37:11 GMT
      I would like to thank our sponsors, Cybsec (Platinum) and Openware (Gold) for their support and continuous help to the project. If you want to know more about them, visit the Sponsor link in the main menu. (0 comments)
  • Help wantedSun, 24 Feb 2008 18:03:02 GMT
      I would like to use this space to let everyone know that the w3af project is searching for contributors. The contributors I’m searching for are talented web application security hackers, python programmers, hacker wannabes, open source enthusiasts, or anyone that has some spare time and wants to help with the project and learn in the process. The TODO list for the framework is huge, and new ideas are always welcome. If you want to join our team, send an email to the w3af-develop list. (0 comments)
  • Changes in SVNThu, 31 Jan 2008 21:07:47 GMT
      For those who don’t follow the developers mailing list, we have just made some changes to the SVN directory structure that may impact on your “svn update” process. After some talking with Sasha we decided to follow the best practices and use trunk and branches in the SVN. So, if you already performed a “svn co” you will need to go to your working copy directory and run: “svn switch https://w3af.svn.sourceforge.net/svnroot/w3af/trunk”

      That command will replace the old URL with the new one, and will allow you to keep performing regular updates to get the latest goodies.

      New users should just run “svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af” and start clean from there. (0 comments)


w3af is going to be presented at:

If you are going to be there, let me know and we’ll have a beer ;)


A small FAQ can be read here .


We are actively working on the documentation. Documentation of the project is created using epydoc . We think that documentation is a really important part of every Open Source project and it will be taken really seriously.

Official documentation:

  • The w3af user’s guide can be found here .
  • The epydoc documentation for w3af can be found here .
  • The presentation materials used at the T2 conference can be found here .

External resources:

  • Josh Summit wrote a two part tutorial of w3af on his blog: 1 , 2 .
  • Fuzion wrote a windows installation tutorial on his blog .

Prerequisites and Installation

The installation procedure and the project prerequisites can be found in the users guide, which is available here.


Mailing List

w3af has three mailing lists, one for users where end users can ask questions about the framework usage and its features; a developers mailing list were new features and advanced topics are discussed; and a third one which is used to notify developers about svn commits and tasks that have been created.

The mailing lists are open for any questions regarding w3af, but please read the documentation, the user guide and the mailing list archives before asking.



w3af is an Open Source software package. It is licensed under the GNU General Public License Version 2.



You can get the latest(and more unstable) version from the development svn using this command:

svn co https://w3af.svn.sourceforge.net/svnroot/w3af/trunk w3af

Or you can download a release package:

  • w3af r1243 [windows-installer]

    Released: Mon, 02 Jun 2008 13:32:41 GMTDownload

  • w3af beta6 [xis]

    Released: Sat, 12 Apr 2008 13:06:16 GMTDownload

  • w3af beta5 [yen]

    Released: Thu, 18 Oct 2007 23:32:40 GMTDownload

  • w3af beta4 [prel]

    Released: Sun, 10 Jun 2007 16:11:07 GMTDownload



The project leader is Andres Riancho , a student at UBA and an information security geek that lives in Argentina. He has contributed to other Open Source projects and sporadically writes for SecureArg an information security site co-founded by him.

For any issues with the framework, please subscribe to the mailing list and make your questions there, for personal questions you can contact me at: andres -dot- riancho [at] gmail +dot+ com . This request is not in vain, if all w3af users send their problems to me and I answer them directly, no community is created and no synergy is achieved. top