Web Application Vulnerability Scanners: W3AF – 12.10 xUbuntu Installation

I have been interested in the Web Application Attack and Audit Framework (W3AF) since I first heard about it last summer, 2012. It was unfortunately not the most straight forward installation, it contains a number of dependencies and not something I was willing to invest into. I was also a bit more novice than I am today and didn’t completely understand what I was doing or needed to do. Today things are a bit different and this evening I decided to take another stab at it.

Note: If you run BackTrack 3.0 you’ll find it prepackaged, not sure about earlier versions, so just skip this entire post.

My biggest challenge was that I was trying to install it on a xUbuntu NIX distribution. If you’re not familiar with it, it’s a child of the Ubuntu family as implied by the name, but it’s light weight. By light weight I mean that it comes with the bare necessities only, if you want something on the box you have to install it and that includes all its dependencies. That’s perhaps where I ran into the most issues. Most of the documentation you find, to include what w3af says once installed, states that python 2.6 is required. That, fortunately is not the case. You can definitely get it running with 2.7 and that’s what I’ll provide here.

You can try running it on python 2.6 but you’re likely going to run into an issue installing pybloomfiltermmap, well at least getting the app to recognize it, so best of luck. After messing with it for hours, python 2.7 worked flawlessly and it’s what I would recommend.

So, if you’re running a clean box with minimal components then this will be the post for you. If you run into issues on a more complete install, like Ubuntu, you can always reference this post as it’ll likely help.

Installation and Configuration

If you visit the download page of w3af you’ll see something like this:

If you’re a Linux, BSD or Mac user we recommend you download the source from out GitHub repository:

    git clone https://github.com/andresriancho/w3af.git
    cd w3af

That unfortunately is a highly simplistic explanation of the process. :) There will be a few more things you need to do.

Make sure you install git

# sudo apt-get install git

You’re also going to want to install the Python installer, pip

$ sudo apt-get install python-pip python-dev build-essential 
$ sudo pip install --upgrade pip 
$ sudo pip install --upgrade virtualenv 

You will now need to install all the following:

$ sudo apt-get install python2.7
$ sudo pip install fpconst
$ sudo pip install nltk
$ sudo pip install SOAPpy
$ sudo pip install pyPdf
$ sudo apt-get install libxml2-dev
$ sudo apt-get install libxslt-dev
$ sudo pip install lxml
$ sudo pip install pyopenssl

Download scapy-latest.tar.gz from here http://www.secdev.org/projects/scapy/ and use pip to install it:

$ sudo pip install scapy-latest.tar.gz << this threw a few errors but it seemed to do the trick regardless

You can then proceed with the rest of dependencies:

$ sudo apt-get install python-svn
$ sudo pip install pybloomfiltermmap
$ sudo apt-get install graphviz
$ sudo apt-get install libgraphviz-dev
$ sudo apt-get install libgraphviz
$ sudo apt-get install python-gtk2
$ sudo apt-get install python-gtksourceview2 
$ sudo apt-get install python-scapy

If you have gotten this far then you’re doing pretty good. The next steps should be easy enough:

$ git clone https://github.com/andresriancho/w3af.git
$ cd w3af
$ ./w3af_gui

If it works you’ll see something like this:

Tonyonsecurity - W3AF Splash Page