W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.
For downloads and more information,
visit the w3af homepage.
Tried to install this on numerous systems and eventually with help got it running. Needs far too many dependencies installed and too much messing about to be of much use. Once running its buggy and begs the question can it be relied upon? Even within Kali it reports website timeouts, yet Zap or Burp are able to do a successful scan. I wanted this to work so much and be able to use it as an additional check of my results but have now binned it.