W3af- Free Website Vulnerability Scanner
If you are looking for vulnerability scanner and assessment tools , w3af is one of them. it is used to scan website for security auditing. it is a web vulnerability scanner open source. It is used to scan application security services and find out web server vulnerabilities.
w3af is an alternate lightweight escalated web vulnerabilities scanner brought to the security group from the fine programmers of OWASP web application security . Reporting is limited furthermore not as lovely as Arachni, however will give a decent basis to vulnerability reporting. The enormous playing point, or downfall depending upon how a pentester is captivated on a project, is that w3af has a plenty of adjustable vulnerability plugins that oblige redesigns from the Internet at the time the plugin is launched. Throughout a pentest occasion, if the analyzer does not have internet get to then w3af will create numerous failures. In the event that an Internet association is accessible, then the plugins will downloaded scripts and vulnerability checks, verifying that the output is as forward as could be allowed.
How to run w3af in Kali Linux :
w3af comes by default in kali Linux, and can be accessed by following location.
Click on Applications > Kali Linux > Web Applications > web Vulnerability Scanner > w3af
At the point when the w3af GUI opens, a vacant profile is loaded with no active plugins. Another profile could be made by first selecting the desired plugins then clicking on the Profiles -“Save as” choices from the menu bar. Some prepopulated profiles as of now exist and are accessible to utilize. Clicking on a profile, for example, “Owasp_top10” will select the profile to use for a scan. W3af has been intended for granular control over the plugins. Regardless of the fact that a preconfigured profile is chosen, conformity to the plugins might be made before starting scan. Without Internet access, executing outputs could be a trial by blunder occasion. Underneath the plugins determination window is an alternate situated of plugins. The plugins beneath are for reporting. All reporting is created in the/root/ envelope.
For this guide, the Owasp_top10 profile was chosen; on the other hand, the finding plugins have been turned off for now. HTML reporting is activated
Enter a target site. For this situation, the Metasploitable2 virtual machine was selected. Click the Start button.
The consequences of the scan above are restricted because of the absence of plugins activated. To view the results in the HTML design that was select. Open Iceweasel and explore to: record://root/results.html.
As you have seen W3af vulnerability scanner linux comes with kali linux and used to find out web application vulnerability.