I'm thrilled to announce that we're releasing w3af version 1.0-rc4 and that it offers users many great new features. But, I'm even more excited to say that the release isn't the big news. The major achievement is the story behind the release and the effort put in by our contributors, our core developer Javier Andalia, and Rapid7, the sponsor who makes it all happen. For the first time in the w3af project's life, we have a roadmap , a prioritized backlog and a structured development process we follow to deliver new features and fixing bugs.

The effort that went into this release was major. After introducing the SCRUM methodology to our development process a month ago, we've successfully completed two sprints (sprint 1, sprint 2). You can also view some of our previous achievements in the SVN logs, such as Taras' great GUI improvements.

For this release, we have:

  • Created “how-to” documents for our users
  • Accelerated the performance of all grep plug-ins
  • Replaced Beautiful Soup with the faster libxml2 library
  • Introduced the usage of XPATH queries that will enable us to improve performance and reduce false positives
  • Fixed hundreds of bugs

The new version also enables you to leverage Web application payloads after exploiting a vulnerability to escalate privileges, for example from a local file read to a remote code execution. This development was led by Lucas Apa from Bonsai Information Security. To try the new feature, exploit a vulnerability, get a shell, and run one of the following commands: help, lsp, or payload tcp. The latter one displays open TCP connections  on the remote box.

We still have tons of things to do, but for the first time in the project's life we have a defined process that will help us to achieve our objectives faster and with more certainty.