Web application security scanners

Tools

Arachni (web application scanner)

penetration testing, security assessment, web application analysis

Web Application Security Scanner aimed towards helping users evaluate the security of web applications

CMSeeK (CMS detection and exploitation)

penetration testing, software exploitation, software identification, vulnerability scanning

CMSeeK is a security scanner for content management systems (CMS). It can perform a wide range of functions starting from the detection of the CMS, up to vulnerability scanning. The tool claims to support over 100 different CMS tools, with extensive support for the commonly used ones like Drupal, Joomla, and WordPress.

The scans performed by CMSeeK include version detection. It can also do enumeration of users, plugins, and themes. This might be useful to see what users o...

JoomScan (vulnerability scanner for Joomla CMS)

vulnerability scanning, vulnerability testing

JoomScan could be used to test your Joomla installation or during security assessments. As it has a primary focus on Joomla, it may provide better results than generic vulnerability scanners.

SQLMate (a friend of SQLMap with additional features)

penetration testing, web application analysis

SQLMate is a tool to perform security assessments and vulnerability of web applications. It can discover admin panels of websites, which might be a way to break into a web application. It also has the option for dorking, which means it can find possible vulnerable targets to a particular attack.

w3af (web application attack and audit framework)

application security, application testing, penetration testing, vulnerability scanning, web application analysis

W3af is an open source web application attack and audit framework and helps in scanning for vulnerabilities. The tool comes with both a graphical user interface (GUI) and command line utility. Some of the project files include a copyright line of 2006. That gives a good idea on the maturity of the project, and it is one of the rare tools that is still maintained after so many years.

Wfuzz (web application fuzzer)

application fuzzing, application security, application testing, web application analysis

Wfuzz is a fuzzing tool written in Python. Tools like Wfuzz are typically used to test web applications and how they handle both expected as unexpected input.

Wordstress (white-box scanner for WordPress installations)

application security, vulnerability scanning, web application analysis

WordPress is a popular choice among content management systems (CMS). Powering many websites and blogs, it is also a popular target. So regular updates and security testing can help to reduce the risk. WordStress can help with this testing.

XSSER (Cross-site scripting scanner)

penetration testing, security assessment, web application analysis

XXSER helps to get from XSS to Remote Code Execution (RCE). It provides custom tools and payloads integrated with Metasploit's Meterpreter. The goal is to automate as much as possible.

Yasuo (vulnerability scanner for web applications)

penetration testing, vulnerability scanning, web application analysis

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications. There are many remotely exploitable vulnerabilities for web applications and their front-end components. Yasuo helps to make it easier to scan for the weaknesses like remote code execution (RCE), SQL injections, and file inclusions.

ZAP (web application analysis)

penetration testing, security assessment, software testing, web application analysis

The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.

Highlighted tools based on their strenghts

Some of the web application security scanners have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» True specialist = ZAP

Missing a favorite tool in this list? Share a tool suggestion and we will review it.