The sys admin’s daily grind: w3af

Braving the Gap


After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

Penetration testing is really a task for specialists who are familiar with the tools of the trade, understand potential vulnerabilities and attack vectors, and test them on a case-by-case basis. The basic principle is not to fire a broadside at the target but carefully to identify the weak points and select an attack method to match. Suitable tools certainly are not lacking, and Metasploit and OpenVAS are totally over the top if you just want to check whether your new website contains any bugs that expose it to cross-site scripting or SQL injection. For performing a small check, I prefer to use the Web Application Attack and Audit Framework (w3af).