LSE toolsLSE toolsw3af (318)w3af (318)

Tool and Usage

Project details

Programming language
Andres Riancho
Latest release
Latest release date

Project health

This score is calculated by different factors, like project age, last release date, etc.

Why this tool?

W3af is an open source web application attack and audit framework and helps in scanning for vulnerabilities. The tool comes with both a graphical user interface (GUI) and command line utility. Some of the project files include a copyright line of 2006. That gives a good idea on the maturity of the project, and it is one of the rare tools that is still maintained after so many years.

How it works

The w3af framework is written in Python and has a well-structured code base. Besides the core and support for multiple languages (locales), the main work happens in the plugins section. The plugins allow things like brute forcing, auditing, performing SQL injections, file inclusions, etc.

Usage and audience

w3af is commonly used for application security, application testing, penetration testing, vulnerability scanning, or web application analysis. Target users for this tool are pentesters and security professionals.


  • Command line interface
  • Extendable with custom tests and plugins
  • Graphical user interface

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:


  • + Tool is modular and extendable
  • + More than 2000 GitHub stars
  • + The source code of this software is available

History and highlights

  • Demo at Black Hat USA 2014 Arsenal

Author and Maintainers

W3af is under development by Andres Riancho.


Supported operating systems

W3af is known to work on Linux and Microsoft Windows.

w3af alternatives

Similar tools to w3af:



Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications.



OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.



Web Application Security Scanner aimed towards helping users evaluate the security of web applications

All w3af alternatives

This tool page was updated at . Found an improvement? Help the community by submitting an update.