W3af is a security audit tool for web applications, it is divided into several modules, such as Attack, Audit, Exploit, Discovery, Evasion and Brute Force. These modules in W3af come with several secondary modules as, for example, we can select the XSS option in the Audit module if we need to test Cross-site scripting (XSS) vulnerabilities in the web application, assuming that it is necessary to perform a certain Audit.

The main feature of W3af is that its audit system is based entirely on plugins written in Python, so it manages to create an easily-scalable framework and a community of users that contribute to the programming of new plugins in the face of web-security failures that can occur.

The vulnerabilities that detect and exploit the available plugins are:

• CSRF
• XPath Injection
• Buffer overflows
• SQL Injection
• XSS
• LDAP Injection
• Remote File Inclusion

In this screenshot, we can see the w3af official site with doc links:

We have a set of preconfigured profiles, for example, the OWASP TOP 10, which performs a comprehensive vulnerability analysis:

It is a framework that allows different types of tests against web applications to determine what vulnerabilities this application can have, detailing levels of criticality based on the impact they may have on the web infrastructure or on its clients.

Once the analysis is complete, w3af displays detailed information about the vulnerabilities found on the specified website, which can be compromised as a result of additional exploitation.

In the results tab, we see the results of the scan over a specific website:

In the Description tab, we can see a description of the sql injection vulnerability:

Also we get Cross-site scripting (XSS) vulnerabilities in the site:

A complete report of the results of this analysis is available in the shared testphp_vulnweb_com.pdf file.

In this report, we can see the files affected by all detected vulnerabilities, such as sql injection: