w3af is an open-source web application security scanner (OWASP Top 10) that enables developers and penetration testers to distinguish and exploit vulnerabilities in their web applications, especially OWASP Top 10 Vulnerabilities.
This tool also provides GUI framework but sadly most of the time GUI mode hangs up, most recommended is to work with w3afconsole.
It is also called “Metasploit for the web” but actually, it is more than that. w3af uses black-box scanning techniques and it has more than 130 plugins and can detect 200+ vulnerabilities including XSS, Injection, LFI, RFI, CSRF, and more.
Also, you can learn Advanced Pentesting and Web Hacking – Scratch to Advance level course
To start with w3af root@kali:~# w3af and then load the help menu w3af>>> help.
To navigate the profiles w3af>>> profiles and to list all the possible options w3af/profiles>>> list
You need to select the Profile as OWASP_10 w3af/profiles>>> use OWASP_10
Also read: How to Do Penetration Testing with Your WordPress website detailed Explanation
Then you need to define the target to start the Scan w3af/profiles>>>back. to get back to the main menu and then
w3af>>> target
w3af/config:target>>> set target domain.com
w3af/config:target>>> save
w3af/config:target>>> back
It will save all the configurations.
Also Read: XSSer automated framework to detect, exploit and report XSS vulnerabilities
Then you need to start the scan with w3af.
w3af >> start
Normally scan will take around 20 minutes to complete all OWASP Top 10 Vulnerabilities, depending upon the target it may vary. Happy pentesting!!
You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…
View Comments