w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. It is developed using Python to be easy to use and extend, and licensed under GPLv2.0. w3af is fully extensible and if you need a plugin that is not available, then you can simply create it yourself. w3af is already installed in BackTrack 5.
> Open your BackTrack VM
> Select Applications -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Vulnerability Scanners -> w3af console or w3af gui.
In the example below we are going to use w3af’s web spider-crawler plugin.
Open w3af console and follow these steps to crawl your target.
Set your target
set target http://target_url
discovery config webSpider
press enter. For our example we are going to leave everything as it is.
Enable webSpider plugin
Check which discovery plugins are enabled
list discovery enabled
press enter. You should see webSpider in the list!
Select report format
press enter. There are 8 format types. Type help for more info.
You can get more help on any step by executing
To cancel scanning hit ctrl+c and enter.
View the results
Open file report.html from folder /pentest/web/w3af.