Overvieww3af stands for web auditing and attack framework.I have heard some say that it is the 
metasploit for  web applications. w3af is basically a free open source web application  scanner. w3af has many plugins that are divided into attack, audit,  exploit, discovery, evasion, bruteforce, mangle and a few others. The  code is well commented and written in python so writing your own  exploits and plugins should be trivial but i cannot say for sure since i  have not tried as of yet. I will spent more time on this in later  articles. This will be the first of many w3af tutorials.
Getting startedI have installed it on both 
ubuntu fiesty and cygwin for windows. Both installs are relatively painless. Just follow the instructions in the 
w3afUsersGude and you will be fine.
Once you have all the prerequisites then you can start w3af as follows:
$ ./w3af
w3af>>>
Type help will give you a list of options.
w3af>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
url-settings        Configure the URL opener.
misc-settings       Configure w3af misc settings.
session             Load and save sessions.
plugins             Enable, disable and configure plugins.
start               Start site analysis.
exploit             Exploit a vulnerability.
tools               Enter the tools section.
target              Set the target URL.
exit                Exit w3af.
w3af>>>
First  we need to talk about how the interface for w3af is configured. You  move forward by typing a given option and back by typing back. Type view  to see a list of configurable options and use the set command to change  the options. Below we will set the target. This will be the url that we  will be auditing.
Configuration:w3af>>> target
w3af/target>>> help
The following commands are available:
help                You are here. help [command|parameter] prints more specific help.
set                 Set a parameter value.
view                List all configuration parameters and current values.
back                Return to previous menu.
w3af/target>>> view
Parameter           Value               Description
=========           =====               ===========
target                                  A comma separated list of URLs
w3af/target>>> set target http://localhost:8080
w3af/target>>> view
Now lets configure our plugins.
w3af/target>>> back
w3af>>> plugins
w3af/plugins>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
list                List all available plugins.
audit               Enable and configure audit plugins.
bruteforce          Enable and configure bruteforce plugins.
discovery           Enable and configure discovery plugins.
evasion             Enable and configure evasion plugins.
grep                Enable and configure grep plugins.
mangle              Enable and configure mangle plugins.
output              Enable and configure output plugins.
back                Return to previous menu.
To  audit a web application we need at least three plugins configured.  Audit, discovery, and output. Typing list plus the plugin will show all  available options for the plugin. If you type 
list audit you will see all the auditing extensions like xss, xsrf, sql injection, ldap injection, etc. Type 
list discovery will display all discovery options. 
Just typing the plugin name (i.e 
audit)  will display which options are loaded. By default there are no options  configured for any of the plugins. You will have to add them. Some  examples would be:
w3af/plugins>>> audit xss,xsrf,sqli 
To select a few options to load.
or 
w3af/plugins>>> audit all 
To load all options.
I  am going to configure our webserver audit to test for Cross site  Scripting, typical web server vulnerabilities, and we want it to spider  (crawl) the entire site. We also want to save the results into an html  audit report. To do this we need to run the following commands:
w3af/plugins>>> audit xss
w3af/plugins>>> audit
Enabled audit plugins:
xss
w3af/plugins>>> discovery webSpider,pykto,hmap
w3af/plugins>>> discovery
Enabled discovery plugins:
webSpider
pykto
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> view
Parameter           Value               Description
=========           =====               ===========
verbosity           0                   Verbosity level for this plugin.
httpFileName        output-http.txt     File name where this plugin will write HTTP requests and responses
reportDebug         False               True if debug information will be appended to the report.
fileName            report.html         File name where this plugin will write to
I  have just configured a basic audit with w3af to test for XSS. We  initially set the target to be http://localhost/ so it will scan my  local apache server. I used pykto which is a perl version of nikto to  scan for webserver vulnerabilities. The webSpider plugin will do all the  url crawling and create lists of urls to audit. The output plugins will  write the results to the command line and the html file called  report.html in your application folder. The html output will not be  available until the audit is complete. hmap fingerprints the server. The  output-http.txt records server requests and responses.
Start the audit as follows:
w3af/plugin/htmlFile>>> back
w3af/plugins>>> back
w3af>>> start
Be prepared to wait a while for the audit to complete.
w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
Auto-enabling plugin: discovery.error404page
Auto-enabling plugin: discovery.serverHeader
The Server header for this HTTP server is: Apache/2.2.3 (Ubuntu) PHP/5.2.1
Hmap plugin is starting. Fingerprinting may take a while.
The most accurate fingerprint for this HTTP server is: Apache/2.0.55 (Ubuntu) PHP/5.1.2
pykto plugin is using "Apache/2.0.55 (Ubuntu) PHP/5.1.2" as the remote server type. This information was obtained by hmap plugin.
pykto plugin found a vulnerability at URL: http://localhost/icons/ . Vulnerability description: Directory indexing is enabled, it should only be enabled for specific directories (if required). If indexing is not used, the /icons directory should be removed. The vulnerability was found in the request with id 128.
pykto plugin found a vulnerability at URL: http://localhost/doc/ . Vulnerability description: The /doc directory is browsable. This may be /usr/doc. The vulnerability was found in the request with id 1865.
pykto plugin found a vulnerability at URL: http://localhost/\> . Vulnerability description: The IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site Scripting (XSS). CA-2000-02. The vulnerability was found in the request with id 3385.
New URL found by discovery: http://localhost/
New URL found by discovery: http://localhost/test2.html
New URL found by discovery: http://localhost/xst2.html
New URL found by discovery: http://localhost/xst.html
New URL found by discovery: http://localhost/test.html
Here is an example of the results.html
