w3af should have an option to add parameters where there are none.
Today was testing an application that has XSS in any parameters, but in the public interface it is never called with parameters.
For example, the application could have had this URL:
and anything added as a parameter was vulnerable to XSS:
This controller was visible externally, but never called with any parameters, so w3af missed the XSS.
Once again, not sure if this should be a global option, a separate plugin, or an option on specific discovery or exploit plugins..