w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
The framework is extended using plugins. For now, think about nessus plugins.
w3af has discovery, audit, evasion, grep and output plugins.
Discovery plugins are used to discover new valid URL's on the site, examples of discovery plugins are googlespider_plugin, spider_plugin.py and urlfuzzer_plugin.
Evasion plugins are used to try to evade IDS's.
Audit plugins are used to audit the security of a web application, examples of audit plugins are : xss_plugin, sqli_plugin and blindsqli_plugin.
Grep plugins are used to analyze every response that the server returns (no mather what plugin initiated the request) for interesting things. Examples of grep plugins are findcomments_plugin and pathdisclosure_plugin.
Output plugins are used to write the output of other plugins and the framework itself into a convenient format, examples of output plugins are : console_plugin, txtfile_plugin, html_plugin.