Last updated at Wed, 26 Jul 2017 15:05:23 GMT

This is one of those great moments in the life of a project, a moment that I've been dreaming about for a couple of years. We're releasing a new version of w3af, but that's not important. The major achievement is the story behind the release, the effort put in this release by all the contributors, Javier Andalia (our core developer) and Rapid7 (the company that allows all this to happen).

For the first time ithe project's life, we have a roadmap w3af , a prioritized backlog w3af and a structured development process we follow to deliver new features and fixing bugs.

The efforts for this release have been major, some of them haven been really organized like our sprints that started one month ago w3af[3] and some others can be tracked through the SVN logs, like Taras' great improvements of the GUI.

Just to name a few things we've done for this release:

  • We've written new HOWTO documents for our users
  • Considerably improved the speed of all grep plugins
  • Replaced Beautiful Soup by the faster libxml2 library
  • Introduced the usage of XPATH queries that will allow us to improve performance and reduce false positives
  • Fixed hundreds of bugs

On this release you'll also find that after exploiting a vulnerability you can leverage that access using our Web Application Payloads, a feature that we developed together with Lucas Apa from Bonsai Information Security. These payloads allow you to escalate privileges and will help you get from a low privileged vulnerability (e.g. local file read) to a remote code execution. In order to try them, exploit a vulnerability, get any type of shell and then run any of the following commands: help, lsp, payload tcp (the last one will show you the open connections in the remote box).

We still have tons of things to do, but for the first time in the project's life we have a defined process that will make us achieve our objectives.

[2] 1
[3] 2