Well, I still stand by this point. But I have revisited w3af recently, mainly due to an interview with its creator, Andrés Riancho, on Pauldotcom (awesome podcast btw, check it out). Andrés mentioned several points which piqued my interest in w3af again. The first and most important thing for me was that he is perfectly aware of the fact that automatic vulnerability scanning can never substitute manual testing and that you really shouldn’t solely rely on his tool. The second thing was that they want to integrate the manual testing into the framework, so you can have the best from both worlds. This really got my attention, because having a tool which on the one hand allows me to easily automate repetitive tasks (no, I’m not gonna spider the website by hand, nor do I have the time to bruteforce subdirectories manually) but on the other hand still let’s me manually poke at the application is exactly what I want to have. w3af wants to be the Metasploit for web applications, and I wholeheartedly support this.
So I got the newest version from SVN and had a second look. First of all, after hearing the podcast, I also started the w3af GUI, and not only the console version. Normally, I don’t like GUIs very much. I hate clicking all those fancy buttons, as you may have guessed from my tools section. That’s why I didn’t use it earlier. In this case however, it was worth it because there’s already features available which are not in the console version. One major surprise was the MITM proxy they are building in the GUI. Finally, an Open Source MITM proxy that is in active development! It doesn’t have all the features the “established” MITM proxies (e.g. WebScarab) have, but it’s making progress and already looks very nice.
So, all in all, I hope this project will continue to improve. I certainly will make my contributions where possible in the limited spare time I have.