W3af is a web application attack and audit framework. The goal of this application is to be a main reference to find and exploit web application vulnerabilities that are easy to use and extend. This tool identifies most of the web application vulnerabilities using more than 130 plugins.

W3af can be launched against all common web applications but, of course, there are limitations. Limitations mean this application can neither be considered a solution to all of our web application security problems, nor a replacement for manual penetration testing. It is just an automated script running scanner that includes and detects the most well-known vulnerabilities on web apps.

Beside limitations, W3af also has potential features that most of the scanners do not have. Features such as tactical exploitation techniques to discover new URLs and vulnerabilities, blind SQL injection and exploitation of it, remote file inclusions, local file inclusions, cross-site scripting...