Since our latest w3af release in mid January, and our new windows installer release a couple of months ago, we've got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we're here! ... read more
Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan. Here's what's new:
* Now using bloom filters instead of sqlite3 databases, which are persistent on disk, effectively increasing scan performance by about 15%!
* Fixed most of the bugs that cause w3afMustStopExceptions and wrote debugging code to allow us to identify the remaining ones.
* Based on many community requests we've updated our XML output plugin and wrote an XSD file to help other tools parse the output from our scanner.
* Added new plugin to measure the number of hops for port 80 vs 443 and perform a comparison. Which is useful to identify load balancers, reverse proxies and any other network appliances.... read more
This is one of those great moments in the life of a project, a moment that I've been dreaming about for a couple of years. We're releasing a new version of w3af, but that's not important. The major achievement is the story behind the release, the effort put in this release by all the contributors, Javier Andalia (our core developer) and Rapid7 (the company that allows all this to happen).
For the first time in the project's life, we have a roadmap [0] , a prioritized backlog [1] and a structured development process we follow to deliver new features and fixing bugs.... read more
I have been passionate about the Web application security field for years which is why I developed w3af. Some have even it called it the “Metasploit” of Web application security. Over the last year or so, I have been thinking how I can personally help to raise the bar for Web application security even further and turn w3af into one of the leading open source security projects.
I am therefore very excited that today I am announcing that Rapid7 is sponsoring the w3af project and that I will be joining Rapid7 as Director of Web security to spearhead Rapid7’s worldwide Center of Excellence (COE) for Web security. The first immediate result of the sponsorship is that I have already hired a first employee at the COE and will be looking to staff several other engineering positions here in Argentina.... read more
The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:
* Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
* Increased speed by rewriting parts of the thread management code
* Fixed tons of bugs
* Reduced memory usage
* Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
* Reduced false positives
Sofian Brabez, our FreeBSD expert, has updated the FreeBSD port of w3af to the 1.0-rc2 version and commited it to FreeBSD ports sources tree. If you're using FreeBSD, now you have one more reason to use w3af and make your life easier when hacking web applications.
Thanks to the help of Luciano Bello, w3af made it to the official Debian repositories. For now, the package is only on the unstable branch, but for the dare-devils that use it, you can now install w3af by issuing "apt-get install w3af".
This is also good news for all the Debian based distributions (like Ubuntu), because w3af will be available for them as a package too.
The w3af team is proud to announce the 1.0-rc2 release, which basically fixes some bugs in the 1.0-rc1 release and gets us closer to the stable 1.0 release.
We also would like to ask all the users to report their bugs, and perform intensive testing on the framework. Your work feedback is invaluable for us.
After a lot of work of the w3af team, we are proud to announce the first release candidate for the 1.0 version!
This release fixes A LOT of bugs, reduces memory usage, and increased the performance of the HTTP request library.
Our goal is to have a stable release in two weeks, which will allow us to keep building and adding new features on top of it, a new era is coming... Web Application Payloads are just around the corner...
We are glad to announce that the latest version of w3af is available to the public! As usual, I want to thank all the contributors for their great work, and Ulises Cune for the Windows installer.
Have fun, and don't hack too many web apps ;)
I'm glad to announce that Ulises Cune has finished the first version of the windows installer! He has done a great work with it, and now it is available for download at http://w3af.sourceforge.net/#download . We have tested it in windows XP, windows 2000 and windows Vista and it seems to work as expected on all of them. This is a big step in our project, we expect to get a lot of new users with this installer!
I uploaded beta6 to sourceforge file release system some minutes ago. I released it today because I think that beta5 is really outdated and not many new users download the svn version, which creates some problems. Beta6 introduces some new features like the GTK user interface, new plugins and A LOT of bug fixes that were reported by our users.
I would like to thank everyone who contributed with this release, specially Sasha, Facundo and Ulises. I would also like to thank our sponsors, Cybsec and Openware for their support and their open source initiative.... read more
I would like to thank our sponsors, Cybsec (Platinum) and Openware (Gold) for their support and continuous help to the project. If you want to know more about them, visit the Sponsor link in the main menu.
I would like to use this space to let everyone know that the w3af project is searching for contributors. The contributors I'm searching for are talented web application security hackers, python programmers, hacker wannabes, open source enthusiasts, or anyone that has some spare time and wants to help with the project and learn in the process. The TODO list for the framework is huge, and new ideas are always welcome. If you want to join our team, send an email to the w3af-develop list.
For those who don't follow the developers mailing list, we have just made some changes to the SVN directory structure that may impact on your "svn update" process. After some talking with Sasha we decided to follow the best practices and use trunk and branches in the SVN. So, if you already performed a "svn co" you will need to go to your working copy directory and run: "svn switch https://w3af.svn.sourceforge.net/svnroot/w3af/trunk"... read more
To start this year I would like to thank all contributors for their work, w3af is a relatively new project and it would be impossible to keep growing at this rate without them.
I have some interesting news:
- There is a new plugin list online available at http://w3af.sourceforge.net/pluginDesc.php ; I believe that this list will attract new users and will benefit the project.
- I have been working on a series of bug reports made by Ulises Cuñé and a contributor from germany that prefers to remain anonymous(stupid laws...).... read more
The last months have been really good, I traveled to Mar del Plata to present w3af at CIBSI and afterwards I rushed back to Buenos Aires in order to speak at Ekoparty (*great* conference!). During this conferences I met a bunch of people that might be interested in contributing.
For the ones that don't read the mailing list, I have been working on Javascript analysis, and finished JSON support. There is also a very important subject that has started to take a lot of importance in this project, a desktop GUI coded in pyGTK. It's going to be an exciting summer! =)
After a lot of hard work I'm releasing the fifth beta version of w3af, codename YEN. This release is much more stable than it's predecessor, and also implements some really interesting features like virtual daemons and w3afAgents. You can get the latest version from the download section of this page
I'm updating the documentation and performing some final tests in order to be able to release a new beta version of w3af this week. Keep an eye on the mailing lists and this XML feed to be able to download the latest version!
T2 was a success! They were some really good talks and some speakers even knew what w3af was ;) If you live near Finland I would highly recommend attending that con next year.
w3af will be presented in T2! See the conference site at http://www.t2.fi/ for more information about my presentation. All the presentation materials will be available in this site after the conference, so keep an eye on the w3af news.
Since the beta4 release, I have been fixing a lot of bugs, thanks to all that reported them! and adding some simple features to w3af. If everything goes as expected, I will release a new version of w3af with one or two new plugins, and a much more stable core in the near future ( one or to months from now ).
After two days of the mail to the security lists, the project homepage was visited almost 17K times and the software was downloaded 700 times. For now the release seems to be a success, the only thing that's missing are the bug reports! I really need those bugs for making w3af better, so please report them all!
The beta4 version of this project is out, many new features and bug fixes are the core of this new relase. I have sent some mails to full disclosure and bugtraq to make this project known in the community, bug reports will flow next week =) Have fun testing w3af!
sapyto, a framework for SAP auditing and exploiting developed by Mariano Nuñez DiCroce is out to the public. It can be downloaded from: http://www.cybsec.com/EN/research/default.php#3 . This news item is relevant to w3af because sapyto uses the w3af architecture as a base. God bless GPL ;)