W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.
For downloads and more information,
visit the w3af homepage.
Tried to install this on numerous systems and eventually with help got it running. Needs far too many dependencies installed and too much messing about to be of much use. Once running its buggy and begs the question can it be relied upon? Even within Kali it reports website timeouts, yet Zap or Burp are able to do a successful scan. I wanted this to work so much and be able to use it as an additional check of my results but have now binned it.
The best free software for pentesting web applications.
Along with your rating, you can use the comment form to post a review,
tutorial, tips and tricks, or anything else others will find useful.
If you develop this software (or work for the company), please don't rate it. You may leave a clarifying comment as long as you state your affiliation and don't specify a star rating (just leave it as “No rating”).