Welcome to w4af’s documentation

This document is the user’s guide for the Web Advanced Application Attack and Audit Framework (w4af), its goal is to provide a basic overview of what the framework is, how it works and what you can do with it.

w4af is a complete environment for auditing and exploiting Web applications. This environment provides a solid platform for web vulnerability assessments and penetration tests.

Contents

• Installation
  • Prerequisites
  • Installation
  • Supported platforms
  • Installing using Docker
  • Troubleshooting
• Advanced installation
  • Bleeding edge vs. stable
• Updating to the latest version
  • Manually updating
  • Auto-update feature
  • Branches
• Introduction
  • Main plugin types
  • Other plugins
  • Scan configuration
  • Configuration recommendations
• Running w4af
  • Running w4af with GTK user interface
  • Plugin configuration
  • Saving the configuration
  • Starting the scan
• Automation using scripts
  • VIM syntax file
• Authentication
  • Basic and NTLM authentication
  • Form authentication
  • Setting HTTP Cookie
  • Setting HTTP headers
• Common use cases
  • Scanning only one directory
  • Saving URLs and using them as input for other scans
• Advanced use cases
  • Complex Web applications
  • Ignoring specific forms
  • Ignoring URLs during fuzzing
  • Variants
• w4af inside docker
  • Ports and services
  • Sharing data with the container
  • Debugging the container
• Scan REST APIs
  • Scanning REST APIs with an Open API
  • Feeding HTTP requests into w4af
• Exploiting Web application vulnerabilities
• Web Application Payloads
  • Introduction
  • Running Web Application Payloads
  • Metasploit integration
  • Proxying traffic through the compromised host
• Bug reporting
  • Good bug reporting practices
  • Basic debugging
  • False negatives
  • False positives
  • Common problems
  • Outdated profiles
• Contribute

GUI documentation

• GUI Introduction
  • Contents
    • General structure
    • Scanning
    • Analyzing results
    • Exploitation
    • Tools
    • Configurations

REST API documentation

• REST API Introduction
  • Starting the REST API service
  • Authentication
  • Config file format
  • Serve using TLS/SSL
  • REST API Source code
  • REST API clients
  • API endpoints
    • The /scans/ resource
    • The /kb/ resource
    • The /version resource
    • The /traffic/ resource
    • The /urls/ resource
    • The /fuzzable-requests/ resource
    • The /exceptions/ resource

Advanced tips and tricks

• Advanced tips and tricks
  • Memory usage and caches