Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.

You can try running it on python 2.6 but you’re likely going to run into an issue installing pybloomfiltermmap, well at least getting the app to recognize it, so best of luck. After messing with it for hours, python 2.7 worked flawlessly and it’s what I would recommend.

So, if you’re running a clean box with minimal components then this will be the post for you. If you run into issues on a more complete install, like Ubuntu, you can always reference this post as it’ll likely help.

Installation and Configuration

If you visit the download page of w3af you’ll see something like this:

If you’re a Linux, BSD or Mac user we recommend you download the source from out GitHub repository:

    git clone https://github.com/andresriancho/w3af.git
    cd w3af

That unfortunately is a highly simplistic explanation of the process. :) There will be a few more things you need to do.

Make sure you install git

# sudo apt-get install git

You’re also going to want to install the Python installer, pip

$ sudo apt-get install python-pip python-dev build-essential 
$ sudo pip install --upgrade pip 
$ sudo pip install --upgrade virtualenv 

You will now need to install all the following:

$ sudo apt-get install python2.7
$ sudo pip install fpconst
$ sudo pip install nltk
$ sudo pip install SOAPpy
$ sudo pip install pyPdf
$ sudo apt-get install libxml2-dev
$ sudo apt-get install libxslt-dev
$ sudo pip install lxml
$ sudo pip install pyopenssl

Download scapy-latest.tar.gz from here http://www.secdev.org/projects/scapy/ and use pip to install it:

$ sudo pip install scapy-latest.tar.gz << this threw a few errors but it seemed to do the trick regardless

You can then proceed with the rest of dependencies:

$ sudo apt-get install python-svn
$ sudo pip install pybloomfiltermmap
$ sudo apt-get install graphviz
$ sudo apt-get install libgraphviz-dev
$ sudo apt-get install libgraphviz
$ sudo apt-get install python-gtk2
$ sudo apt-get install python-gtksourceview2 
$ sudo apt-get install python-scapy

If you have gotten this far then you’re doing pretty good. The next steps should be easy enough:

$ git clone https://github.com/andresriancho/w3af.git
$ cd w3af
$ ./w3af_gui

If it works you’ll see something like this:

Tonyonsecurity - W3AF Splash Page


  1. Mario Peshev on January 28, 2013 at 5:15 pm

    That’s a surprise, it used to work out of the box on my Fedora and BackTrack distros back in 2011. Truly, it’s a great and useful vulnerability scanner.

    • perezbox on January 28, 2013 at 5:58 pm

      Still works on BackTrack out of the box. Not sure about Fedora, but remember I’m running a very clean box with nothing but the essentials. Amazing what you forget you need.

  2. perezbox on January 30, 2013 at 5:12 pm

    This is a test

  3. disqus_4uvVjho7HU on April 19, 2013 at 12:45 pm

    First of all I wanted to thank you for the very informative article. I’m relatively new to Linux and was looking to get w3af installed to test some of the web applications my company builds. I was able to get through most of the installation thanks to your instructions, but I’m getting some errors that I was hoping you could help with. When trying to run the w3af installation I get the following:

    Your python installation needs the following modules to run w3af:
    github git.util esmre phply pdfminer concurrent.futures guess_language cluster msgpack ntlm

    After installing any missing operating system packages, use pip to install the remaining modules:
    sudo pip install PyGithub GitPython esmre pdfminer futures guess-language cluster msgpack-python python-ntlm
    sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply

    When I try running the first command (sudo pip install PyGithub GitPython esmre pdfminer futures guess-language cluster msgpack-python python-ntlm) I get the following:

    Downloading PyGithub-1.13.1.tar.gz (1.7MB): 1.7MB downloaded
    Traceback (most recent call last):
    File “/usr/local/lib/python2.7/dist-packages/pip/basecommand.py”, line 139, in main
    status = self.run(options, args)
    File “/usr/local/lib/python2.7/dist-packages/pip/commands/install.py”, line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
    File “/usr/local/lib/python2.7/dist-packages/pip/req.py”, line 1033, in prepare_files
    self.unpack_url(url, location, self.is_download)
    File “/usr/local/lib/python2.7/dist-packages/pip/req.py”, line 1161, in unpack_url
    retval = unpack_http_url(link, location, self.download_cache, self.download_dir)
    File “/usr/local/lib/python2.7/dist-packages/pip/download.py”, line 554, in unpack_http_url
    download_hash = _download_url(resp, link, temp_location)
    File “/usr/local/lib/python2.7/dist-packages/pip/download.py”, line 458, in _download_url
    chunk = resp.read(4096)
    File “/usr/lib/python2.7/socket.py”, line 380, in read
    data = self._sock.recv(left)
    File “/usr/lib/python2.7/httplib.py”, line 561, in read
    s = self.fp.read(amt)
    File “/usr/lib/python2.7/socket.py”, line 380, in read
    data = self._sock.recv(left)
    File “/usr/lib/python2.7/ssl.py”, line 241, in recv
    return self.read(buflen)
    File “/usr/lib/python2.7/ssl.py”, line 160, in read
    return self._sslobj.read(len)
    SSLError: The read operation timed out

    Any help would be greatly appreciated.

  4. Alexander G. Riccio on July 15, 2013 at 11:03 pm

    Thanks! This saved me several hours of fiddling/swearing at my keyboard.

  5. Aleks on July 21, 2013 at 6:55 pm

    “Thanks! This saved me several hours of fiddling/swearing at my keyboard.”

    Damn right, thanks buddy

  6. Joseph Spenner on July 14, 2015 at 3:00 pm

    Great instructions, and it works! I’ve struggled with the “overly simplistic” instructions as well (Has this EVER worked for anyone?). It’s too bad the ‘apt-get install w3f’ doesn’t work, either. The command works, and ~something~ gets installed, but nothing functional.


  7. Joseph Spenner on September 1, 2015 at 7:51 am

    After a few attempts to install, I found a few updates to the instructions worth mentioning:

    1) scapy is a zip file. So, it needs to be downloaded:
    Then installed:
    pip install scapy-x.y.z.zip

    2) Fails:
    pip install pybloomfiltermmap
    apt-get install libssl-dev

    3) Fails:
    apt-get install libffi-dev

    Hope his helps some people!

Leave a Comment