W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit. For downloads and more information, visit the w3af homepage.

#18, new!
Latest release
  • 1.1
  • Oct. 11, 2011 (12 years, 7 months ago)
★★★½ (15)
40% ★★★★
13% ★★★
13% ★★



no rating JoshuaDaily

Not working as good as previous day. Back on 2-3 years ago it is really good. Nowadays I can't use it. It is a bug? or no more dev?


False positives, false positives, false positives, did I mention false positives--that's when you can even get it to work through without crashing.

★★★ DNdnhtimy

Dude, tool is great when it works, but it took forever to get working on OSX 10.9. Also keeps crashing

★★★★ lehenga choli

w3af is a good tool to begin. An opensource which I love :-)

★★★★★ KTB

I have experienced plenty of little bugs, crashes and other issues while using w3af over the past few years, yet it remains my favorite general vulnerability scanner for web apps.

★★★★★ Doctor

Installation some kind of weird but tool is very useful and easy to use. Best choice for good starting.

★★ andy

Tried to install this on numerous systems and eventually with help got it running. Needs far too many dependencies installed and too much messing about to be of much use. Once running its buggy and begs the question can it be relied upon? Even within Kali it reports website timeouts, yet Zap or Burp are able to do a successful scan. I wanted this to work so much and be able to use it as an additional check of my results but have now binned it.

★★★ Naresh K

This is Fine for Scanning Vulnerabilities. We can use it efficiently by some other ways...


I've really tried to love w3af - it's python, it's web pentesting, it's open-source - everything I love.

Unfortunately, once you get around the seemingly strict set of prereq's to install it, it is incredibly buggy. It seems to try to do too many things and be too fancy, but simply isn't useful.

A real pity.

★★★★★ Bill

Nice tool...will be sure to try it for my web apps.

★★ babas

I found it buggy - probably takes expert user who knows programming to work it properly

★★★★★ P3nM3

Great. It worked. Can't really complain about that. Lots of tests and lots of results, not good for the PM....

★★★★ xem

Great Web Application PenTest tool. Fine to see it here.


Couldn't use it because I couldn't open the GUI, installed everything but no idea how to open the GUI >.< I tried lol.

no rating netwrkspider

one of the most powerful web penetration tools.


★★★★★ unbaiat

very powerful tool in the hands of the right ppl. here is their twitter if you wanna follow them for updates http://twitter.com/#!/w3af

no rating Andres Riancho

w00t! We made it to the list! Thanks for everybody who voted for us and the community effort behind each line of code :)

[Moderator note: 5-star rating removed from this review since it is by tool author]

★★★★★ Oxdef

The best free software for pentesting web applications.

Comments disabled

Feed for updates.