Skip to content

w3af Executor

Category: Web Application Scanners Script: w3af.py Integration: CLI (w3af_console) Faraday Plugin: W3afPlugin Website: http://w3af.org/

Description

Generates a w3af configuration script that enables all crawl, grep, audit, and bruteforce plugins, runs w3af_console in scripted mode against a target URL, and parses the XML output into Faraday.

Prerequisites

  • w3af installed locally
  • Python 2.7 (required by w3af itself)
  • w3af_console available in the w3af installation directory

Configuration

Environment Variables (Setup)

Variable Required Description
W3AF_PATH Yes Path to the w3af installation directory (containing w3af_console)

Execution Arguments

Parameter Type Mandatory Description
W3AF_TARGET_URL url Yes Target URL to scan

YAML Configuration Example

executors:
  w3af_scan:
    repo_executor: w3af.py
    max_size: 65536
    varenvs:
      W3AF_PATH: /opt/w3af
    params:
      W3AF_TARGET_URL:
        mandatory: true
        type: url
        base: string

How It Works

  1. Generates a comprehensive w3af configuration script enabling:
  2. All crawl plugins (except bing_spider, google_spider, spider_man)
  3. All grep plugins
  4. All audit plugins
  5. All bruteforce plugins
  6. Sets the target URL and XML output path in the script
  7. Runs python2.7 ./w3af_console -s <config_script> from within W3AF_PATH
  8. Parses the XML output through W3afPlugin and outputs Faraday JSON

Notes

  • w3af requires Python 2.7, which is end-of-life; consider using alternative scanners for new deployments
  • The scan profile is aggressive (all plugins enabled) and can be slow on large targets
  • The executor runs from within the W3AF_PATH directory, so the path must point to the w3af installation root